a formal analysis of the norwegian e-voting protocol · a formal analysis of the norwegian e-voting...

A formal analysis of the Norwegian e-voting protocol

Veronique Cortier, Cyrille Wiedling

To cite this version:

Veronique Cortier, Cyrille Wiedling. A formal analysis of the Norwegian e-voting protocol.[Research Report] RR-7781, INRIA. 2011. <inria-00636115>

HAL Id: inria-00636115

https://hal.inria.fr/inria-00636115

Submitted on 26 Oct 2011

HAL is a multi-disciplinary open accessarchive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come fromteaching and research institutions in France orabroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, estdestinee au depot et a la diffusion de documentsscientifiques de niveau recherche, publies ou non,emanant des etablissements d’enseignement et derecherche francais ou etrangers, des laboratoirespublics ou prives.

https://hal.archives-ouvertes.fr

https://hal.inria.fr/inria-00636115

ISS

N02

49-6

399

ISR

NIN

RIA

/RR

--77

81--

FR+E

NG

RESEARCHREPORTN° 7781November 2011

Project-Team Cassis

A formal analysis of theNorwegian e-votingprotocolVéronique Cortier, Cyrille Wiedling

RESEARCH CENTRENANCY – GRAND EST

615 rue du Jardin BotaniqueCS2010154603 Villers-lès-Nancy Cedex

A formal analysis of the Norwegian e-votingprotocol∗

Véronique Cortier†, Cyrille Wiedling†

Project-Team Cassis

Research Report n° 7781 — November 2011 — 75 pages

Abstract: Norway has used e-voting in its last political election in September 2011, with morethan 25 000 voters using the e-voting option. The underlying protocol is a new protocol designed bythe ERGO group, involving several actors (a bulletin box but also a receipt generator, a decryptionservice, and an auditor). Of course, trusting the correctness and security of e-voting protocols iscrucial in that context. Formal definitions of properties such as privacy, coercion-resistance orverifiability have been recently proposed, based on equivalence properties.In this paper, we propose a formal analysis of the protocol used in Norway, w.r.t. privacy, consid-ering several corruption scenarios. Part of this study has conducted using the ProVerif tool, on asimplified model.

Key-words: e-voting, privacy, formal methods

∗ The research leading to these results has received funding from the European ResearchCouncil under the European Union’s Seventh Framework Program (FP7/2007-2013) / ERCgrant agreement no 258865, project ProSecure.† LORIA, CNRS & INRIA project Cassis

Analyse formelle du protocole de voteélectronique Norvégien

Résumé : En Septembre 2011, la Norvège a mis en place le vote élec-tronique lors de ses élections politiques, avec plus de 25 000 votants qui onteffectivement utilisé cette option. Le protocole sous-jacent, créé par la com-pagnie ERGOgroup, met en jeu plusieurs acteurs (une urne mais également ungénérateur de reçu, un déchiffreur et un auditeur). Pouvoir faire confiance enl’exactitude et la sécurité des protocoles de votes électroniques est bien entenducrucial dans ce contexte. En se basant sur des propriétés d’équivalence, desdéfinitions formelles de la confidentialité, de la résistance à la coercition ou dela vérifiabilité on été récemment proposées.

Dans ce rapport, nous proposons une analyse formelle du protocole utilisé enNorvège dans le but de démontrer la propriété de confidentialité en considérantplusieurs scénarios de corruption. Une partie de cette étude a été menée avecl’utilisation de l’outil ProVerif, sur un modèle simplifié.

Mots-clés : confidentialité, méthodes formelles, vote électronique

A formal analysis of the Norwegian e-voting protocol 3

1 Introduction

Electronic voting protocols promise a convenient, efficient and reliable way forcollecting and tallying the votes, avoiding for example usual human errors whencounting. It is used or have been used for political elections in several countrieslike e.g. USA, Estonia, Swiss and recently Norway, at least in trials. However,the recent history has shown that these systems are highly vulnerable to attacks.For example, the Diebold machines as well as the electronic machines used inIndia have been attacked [12, 20]. Consequently, the use of electronic votingraises many ethical and political issues. For example, the German Federal Con-stitutional Court decided on 3 March 2009 that electronic voting used for thelast 10 years was unconstitutional [1].

There is therefore a pressing need for a rigorous analysis of the security of e-voting protocols. A first step towards the security analysis of e-voting protocolsconsists in precisely defining security w.r.t. e-voting. Ryan et al. have proposedformal definitions for several key properties such as privacy, receipt-freeness,coercion resistance, or verifiability [11, 16] in terms of equivalence-based prop-erties. It is however difficult to formally analyse e-voting protocols for two mainreasons. First there are very few tools that can check equivalence properties:ProVerif [6, 7] is probably the only one but it does not really work in the contextof e-voting (because it tries to show a stronger notion of equivalence, which is notfulfilled when checking for ballot secrecy). Moreover, the cryptographic prim-itives used in e-voting are rather complex and non standard and are typicallynot supported by existing tools.

In this paper, we study the protocol used in last September for politicalelections in Norway [2]. E-voting was proposed as trials in several municipalitiesand more than 25 000 voters did use e-voting to actually cast their vote. Theprotocol is publicly available [14] and can be seen as a variant of the Heliosprotocol [4] with additional components: a Receipt Generator and an Auditorwhich aim at watching the Bulletin Box recording the votes. The resultingprotocol is therefore complex, e.g. using El Gamal encryption in a non standardway. In [14], Gjøsteen describes the protocol and discusses its security. To ourknowledge, there does not exist any security proof, even for the crucial propertyof vote privacy.

Our contribution. We conduct a formal analysis of the Norwegian protocolw.r.t. privacy. Our first contribution is the proposition of a formal model ofthe protocol in applied-pi calculus [3]. One particularity of the protocol is todistribute public keys pk(a1), pk(a2), and pk(a3) for the three authorities, suchthat the corresponding private keys a1, a2, and a3 verify the relation a1 + a2 =a3, allowing one component (here the Bulletin Box) to re-encrypt messages.The protocol also makes use of signature, of zero-knowledge proofs, of blindingfunctions and coding functions. We have therefore proposed a new equationaltheory reflecting the unusual behavior of the primitives.

Our second contribution is a formal security proof of privacy, in the presenceof arbitrarily many dishonest voters. Given the complexity of the equationaltheory (with e.g. four associative and commutative symbols), the resultingprocesses can clearly not be analyzed with existing tools, even ProVerif. Wetherefore proved privacy (expressed as an equivalence property) by hand. Theproof happens to be quite technical. Its first step is rather standard and consistsin guessing a relation such that the two initial processes and all their possible

RR n° 7781

4 Cortier & Wiedling

evolutions are in relation. The second step is more involved: it requires to proveequivalent an infinite number of frames, the frames representing all possibleattacker knowledge. Indeed, unlike most previously analyzed protocols, theNorwegian protocol emits receipts for the voters, potentially providing extrainformation to the attacker. Proving static equivalence is also made difficultdue to our equational theory (e.g. four associative and commutative symbols).

Our third contribution is an analysis of the protocol for further corruptionscenarios, using the ProVerif tool in a simplified model (therefore possibly losingattacks). In conclusion, we did not find any attack, except when the bulletinbox and the receipt generator or the decryption service alone are corrupted.These attacks are probably not surprising but they were never made explicit inthe documentation we found.

Related Work. [14] provides a discussion on the security of the Norwegianprotocol but no security proof. We do not know any other study related tothis protocol. Several other e-voting protocols have been studying using formalmethods. The FOO [13], Okamoto [19] and Lee et al. [17] voting protocols havebeen analysed in [11]. Similarly, Helios has been recently proved secure bothin a formal [10] and a computational [5] model. However, all these protocolswere significantly simpler to analyse. Indeed, the voters (and thus the dishonestvoters) had very few interactions with the other components, sending only theirballots. In contrast, in the Norwegian protocol, both the Receipt Generator andthe Bulletin Box send receipts to the voters, that depend in the casted ballot.Therefore, the knowledge of the attacker increases at each step.

We informally describe the protocol in Section 2. The applied-pi calculus isbriefly defined in Section 3. We then provide a formal modeling of the protocolin Section 4 and formally state and prove the privacy properties satisfied bythe protocol in Section 5. The results obtained with ProVerif are described inSection 6. Concluding remarks can be found in Section 7. All the proofs areprovided in Appendix.

2 Norwegian E-Voting Protocol

V P B

R

D

A

Norwegian protocol features several players including four players represent-ing the electronic poll’s infrastructure : a ballot box (B), a receipt generator(R), a decryption service (D) and an auditor (A). Each voter (V) can log inusing a computer (P) in order to submit his vote. Channels between computers(voters) and the ballot box are considered as authenticated channel, channelsbetween infrastructure’s player are untappable channels and channel betweenvoters and receipt generator is a unidirectional out-of-band channel. (Exampleof SMS is given in [14].) The protocol can be divided in three phases : the

Inria


V P B R

x ← gr ,w ← y1

r f (v) ,p← pfk ,si ← sign((x ,w , p) ,id v )

v

x ← xsV ,

w ←w sV xa2 ,p← pfk '

b=(x ,w , p , si)

r

b '=(b , x , w , p)

r ←dV (w x−a3) ,

h ←hash((vk (idV ) , b)) ,siR ← sign(h ,id R)

siR

Ok

(o ,dV ( f (o)sV))

o∈O

a2 , vk ( idV ) ,(v , sV ) ,V ∈EV

g , idV ,

y1=ga2

a3 , idR , vk ( idV )

(v ,dV ) ,V ∈EV

Figure 1: Submission of one vote.

setting phase, the submission phase, where voters submit their votes, and thecounting phase, where ballots are counted and auditor verifies the correctnessof the election.

2.1 Setting phaseBefore the election, private keys a1, a2, and a3 (such that a1 + a2 = a3) aredistributed over, respectively D, B, and R, while the corresponding public keysare made publicly available. The receipt generator R is assumed to have asigning key idR which corresponding verification key is distributed to P. Thevoters are also assume to each have a signing key idV which correspondingverification key is distributed to B. The bulletin board B is provided with atable V 7→ sV with a blinding factor sV for each voter V . The receipt generatorR is given a table V 7→ dV with a permutation function dV for each voter V .Finally, each voter V is assumed to received by post a table where, for eachvoting option o corresponds a precomputed receipt code dV (f(o)sV ).

2.2 Submission phaseThe submission phase is depicted in Figure 1. We detail below the expectedbehavior of each participant.

Voter (V). Each voter tells his computer what voting option o to submit andallows it to sign the corresponding ballot on his behalf. Then, he has to wait foran acceptance message coming from the computer and a receipt r sent by thereceipt generator through the out-of-band channel. Using the receipt, he verifiesthat the correct vote was submitted, that is, he checks that r = dV (f(o)sV ) byverifying that the receipt code r indeed appears in the line associated to o.

Computer (P). Voter’s computer encrypts voter’s ballot using the publickey y1 using standard El Gamal encryption. The resulting ballot is (gr, yrf(o))

RR n° 7781


where f is some encoding function for voting options. P also proves that thecreated ciphertext correspond to the correct vote, by computing a standardsignature proof of knowledge pfk . How pfk is computed exactly can be foundin [14]. P also signs the ballot with idV and sends it to the ballot box. It thenwaits for a confirmation siR coming from the latter, which is a hash of the initialencrypted ballot, signed by the receipt generator. After checking this signature,the computer notifies the voter that his vote has been taken into account.

Bulletin Box (B). Receiving an encrypted and signed ballot b from a com-puter, the ballot box checks first the correctness of signatures and proofs beforere-encrypting with a2 and blinding with sV the original encrypted ballot, alsogenerating a proof pfk ′, showing that its computation is correct. B then sendsthe new modified ballot b′ to the receipt generator. Once the ballot box receivesa message siR from the receipt generator, it simply checks that the receipt gen-erator’s signature is valid, and sends it to the computer.

Receipt generator (R). When receiving an encrypted ballot b′ = (b, x, w, p)from the ballot box, the receipt generator first checks signature and proofs (fromthe computer and the ballot box). If the checks are successful, it generates:

• a receipt code r = dV (wxa3) sent by out-of-band channel directly to thevoter. Intuitively, the receipt generator decrypts the (blinded) ballot,applying the permutation function dV associated to the voter. This givesassurance to the voter that the correct vote was submitted to the bulletinboard.

• a signature on a hash of the original encrypted ballot for the ballot box.Once transmitted by the bulletin board, it allows the computer to informthe voter that his vote has been accepted.

2.3 Counting phase

Once the ballot box is closed, the counting phase begins (Figure 2). The bal-lot box selects the encrypted votes x1, . . . , xk which need to be decrypted (ifa voter is re-voting, all the submitted ballots are in the memory of the ballotbox and only the last ballot should be sent) and sends them to the decryptionservice. The whole content of the ballot box b1, . . . , bn (n ≥ k) is revealedto the auditor, including previous votes from re-voting voters. The receiptgenerator sends to the auditor the list of hashes of ballots it has seen duringthe submission phase. The decryption service decrypts the incoming cipher-texts x1, . . . , xk received from the ballot box and mix the results before out-putting them dec(xσ(1), a1), . . . , dec(xσ(k), a1) where σ denotes the permutationobtained by shuffling the votes. It also provides the auditor with a proof pfkshowing that the input ciphertexts and the outcoming decryption indeed match.Using the ballot box content and the list of hashes from the receipt generator,the auditor verifies that no ballots have been inserted or lost and computes hisown list of encrypted ballots which should be counted. He compares this listwith the one received from the decryption service and verifies the proof givenby the latter.

Inria


A R B D

(h1 ,… , hn)

(x1 ,…, xk )

(b1,…, bn)

(( x1 ,…xk ) ,(dec (x σ (1 ) , a1),…, dec (xσ (k) , a1)), proof )

Figure 2: Counting phase.

3 Applied Pi Calculus

We use the framework of the applied-pi calculus [3] for formally describing theNorwegian protocol. To help with readability, the definitions of the applied-picalculus are briefly recalled here.

3.1 Terms

As usual, messages are represented by terms build upon an infinite set of namesN (used to name communication channels or atomic data), a set of variablesX and a signature Σ consisting of a finite set of function symbols which willbe used to represent cryptographic primitives. A function symbol f is assumedto be given with its arity ar(f). Then the set of terms T (Σ,X ,N ) is formallydefined by the grammar

t, t1, t2, . . . ::=x x ∈ Xn n ∈ Nf(t1, . . . , tn) f ∈ Σ, n = ar(f)

We write M1/x1 , . . . ,Mn /xn for the substitution that replaces the variables xi

with the termsMi. Nσ refers to the result of applying substitution σ to the freevariables of term N . A term is called ground when it does not contain variables.

In order to represent the properties of the primitives, the signature Σ isequipped with an equational theory E that is a set of equations which hold onterms built from the signature. We denote =E the smallest equivalence relationinduced by E, closed under application of function symbols, substitution ofterms for variables and bijective renaming of names. We write M =E N whenthe equation M = N is in the theory E.

Example 3.1. A standard signature for representing encryption is Σ = dec, pencwhere penc represents encryption while dec is decryption. Then the property ofdecryption is modeled by the theory Eenc, defined by the equationdec(penc(x, r, pk(k)), k) = x.

RR n° 7781


P,Q,R ::= (plain) processes0 null processP | Q parallel composition!P replicationν n.P name restrictionif φ then P else Q conditionalu(x).P message inputu〈M〉.P message output

A,B,C ::= extended processesP plain processA | B parallel compositionν n.A name restrictionν x.A variable restrictionM/x active substitution

Figure 3: Syntax for processes

3.2 Processes

Processes and extended processes are defined in Figure 3. The process 0 repre-sents the null process that does nothing. P | Q denotes the parallel compositionof P with Q while !P denotes the unbounded replication of P (i.e. the un-bounded parallel composition of P with itself). ν n.P creates a fresh name nand the behaves like P . if φ then P else Q behaves like P if φ holds and likeQ otherwise. u(x).P inputs some message in the variable x on channel u andthen behaves like P while u〈M〉.P outputs M on channel u and then behaveslike P . We write ν u for the (possibly empty) series of pairwise-distinct bindersν u1. · · · .ν un. The active substitution M/x can replace the variable x for theterm M in every process it comes into contact with and this behaviour can becontrolled by restriction, in particular, the process ν x (M/x | P ) correspondsexactly to let x = M in P . As in [10], we slightly extend the applied-pi calculusby letting conditional branches now depend on formulae φ, ψ ::= M = N |M 6=N | φ ∧ ψ. If M and N are ground, we define [[M = N ]] to be true if M =E Nand false otherwise. The semantics of [[ ]] is then extended to formulae in thestandard way.

The scope of names and variables are delimited by binders u(x) and ν (u).Sets of bound names, bound variables, free names and free variables are respec-tively written bn(A), bv(A), fn(A) and fv(A). Occasionally, we write fn(M)(respectively fv(M)) for the set of names (respectively variables) which appearin term M . An extended process is closed if all its variables are either boundor defined by an active substitution.

An context C[_] is an extended process with a hole instead of an extendedprocess. We obtain C[A] as the result of filling C[_]’s hole with the extendedprocess A. An evaluation context is a context whose hole is not in the scopeof a replication, a conditional, an input or an output. A context C[_] closes Awhen C[A] is closed.

A frame is an extended process built up from the null process 0 and activesubstitutions composed by parallel composition and restriction. The domain ofa frame ϕ, denoted dom(ϕ) is the set of variables for which ϕ contains an active

Inria


Par-0 A ≡ A | 0Par-A A | (B | C) ≡ (A | B) | CPar-C A | B ≡ B | ARepl !P ≡ P | !PNew-0 ν n.0 ≡ 0New-C ν u.ν w.A ≡ ν w.ν u.ANew-Par A | ν u.B ≡ ν u.(A | B)

where u 6∈ fv(A) ∪ fn(A)Alias ν x.M/x ≡ 0Subst M/x | A ≡ M/x | AM/xRewrite M/x ≡ N/x

where M =E N

Figure 4: Structural equivalence.

substitution M/x such that x is not under restriction. Every extended processA can be mapped to a frame ϕ(A) by replacing every plain process in A with 0.

3.3 Operational semanticsThe operational semantics of processes in the applied pi calculus is defined bythree relations : structural equivalence (≡), internal reduction (→) and labelledreduction ( α→). These relations are satisfying the rules in Figure 5 and aredefined such that :

Structural equivalence is defined in Figure 4. It is closed by α-conversion ofboth bound names and bound variables, and closed under application of eval-uation contexts. The internal reductions and labelled reductions are definedin Figure 5. They are closed under structural equivalence and application ofevaluation contexts. Internal reductions represent evaluation of condition andinternal communication between processes. Labelled reductions represent com-munications with the environment.

3.4 EquivalencesPrivacy properties are often stated as equivalence relations [11]. Intuitively, if aprotocol preserves ballot secrecy, an attacker should not be able to distinguishbetween a scenario where a voter votes 0 from a scenario where the voter votes 1.Static equivalence formally expresses indistinguishability of sequences of terms.

Definition 1 (Static equivalence). Two closed frames ϕ and ψ are staticallyequivalent, denoted ϕ ≈s ψ, if dom(ϕ) = dom(ψ) and there exists a set ofnames n and substitutions σ, τ such that ϕ ≡ ν n.σ and ψ ≡ ν n.τ and for allterms M,N such that n ∩ (fn(M) ∪ fn(N)) = ∅, we have Mσ =E Nσ holds ifand only if Mτ =E Nτ holds. Two closed extended processes A,B are staticallyequivalent, written A ≈s B, if their frames are statically equivalent; that is,ϕ(A) ≈s ϕ(B).

Example 3.2. Consider the signature and equational theory Eenc defined in Ex-ample 3.1. Let ϕ1 = ν k.σ1 and ϕ2 = ν k.σ2 where σ1 = penc(s1,r1,pk(k))/x1 ,

pk(k)/x2,

RR n° 7781


(Comm) c〈x〉.P | c(x).Q −→ P | Q

(Then) if φ then P else Q→ P if [[φ]] = true

(Else) if φ then P else Q→ Q otherwise

(In) c(x).Pc(M)−−−→ PM/x

(Out-Atom) c〈u〉.P c〈u〉−−−→ P

(Open-Atom)A

c〈u〉−−−→ A′ u 6= c

ν u.Aν u.c〈u〉−−−−−→ A′

(Scope)A

α−→ A′ u does not occur in αν u.A

α−→ ν u.A′

(Par)A

α−→ A′ bv(α) ∩ fv(B) = bn(α) ∩ fn(B) = ∅A | B α−→ A′ | B

(Struct)A ≡ B B

α−→ B′ B′ ≡ A′

Aα−→ A′

where α is a label of the form c(M), c〈u〉, or ν u.c〈u〉 such that u is either achannel name or a variable of base type.

Figure 5: Semantics for processes

σ2 = penc(s2,r2,pk(k))/x1, pk(k)/x2

and s1, s2, k are names. We have thatϕ1 6≈s ϕ2. Indeed, we penc(s1, r1, x2)σ1 =E x1σ1 but penc(s1, r1, x2)σ2 6=E x1σ2

However, we have that ν k, r1.σ1 ≈s ν k, r2.σ2.

Observational equivalence is the active counterpart of static equivalence,where the attacker can actively interact with the processes. The definition ofobservational equivalence requires to reason about all contexts (i.e. all adver-saries), which renders the proofs difficult. Since observational equivalence hasbeen shown to coincide [3, 18] with labelled bisimilarity, we adopt the later inthis paper.

Definition 2 (Labelled bisimilarity). Labelled bisimilarity (≈l) is the largestsymmetric relation R on closed extended processes such that ARB implies:

1. A ≈s B;

2. if A −→ A′, then B −→∗ B′ and A′RB′ for some B′;

3. if A α−→ A′ such that fv(α) ⊆ dom(A) and bn(α) ∩ fn(B) = ∅, thenB −→∗ α−→−→∗ B′ and A′RB′ for some B′.

Examples of labelled bisimilar processes will be provided in Section 5.

Inria


4 Modelling the protocol in applied-pi calculus

We now provide a formal specification of the protocol, using the framework ofthe applied-pi calculus, defined in the previous section. The first step consistsin modeling the cryptographic primitives used by the protocol.

4.1 Equational theory

We adopt the following signature to capture the cryptographic primitives usedby the protocol.

Σsign = Ok, fst, hash, p, pk, s, snd, vk, blind, d, dec,+, ∗, , , pair,renc, sign, unblind, checkpfk1, checkpfk2, checksign, penc, pfk1, pfk2

with function Ok is a constant ; fst, hash, p, pk, s, snd, vk are unary functions ;blind, d, dec, +, ∗, , , pair, renc, sign, unblind are binary functions ; checkpfk1,checkpfk2, checksign, penc are ternary functions and pfk1, pfk2 are quaternaryfunctions.

The term pk(K) denotes the public key corresponding to the secret key K inasymmetric encryption. Terms s(I), p(I), and vk(I) are respectively the blindingfactor, the parameter and the verification key associated to a secret id I. Thespecific coding function used by the receipt generator for a voter with secret idI, applied to a message M is represented by d(p(I),M). It corresponds to thefunction dI(M) explained in Section 2.2. The term blind(M,N) the messageM blinded by N . Unblinded such a blinded term P , using the same blindingfactor N is denoted by unblind(P,N). The term penc(M,N,P ) refers to theencryption of plaintext M using random nonce N and public key P . The termM N denotes the homomorphic combination of ciphertexts M and M ′ andthe corresponding operation on plaintexts is written P Q and R ∗S on nonces.The decryption of ciphertext C using secret key K is denoted dec(C,K). Theterm renc(M,K) is the re-encryption of the ciphertext M using a secret key Kand leads to another ciphertext of the same plaintext with the same nonce buta different public key. The operation between secret keys is denoted by K + L.The term sign(M,N) refers to the signature of the message M using secret idN . The term pfk1(M,N,P,Q) represents a proof of knowledge that proves thatQ is a ciphertext on the plaintext P using nonce N . The term pfk2(M,N,P,Q)denotes another proof of knowledge proving that Q is either a re-encryption ora masking of a term P using a secret key or nonce N . We introduce tuples usingpairings and, for convenience, pair(M1, pair(. . . , pair(Mn−1,Mn))) is abbreviatedas (M1, . . . ,Mn) and fst(sndi−1(M)) is denoted Πi with i ∈ N.

The properties of the primitives are then modelled by equipping the sig-nature with an equational theory E that asserts functions +, ∗, and arecommutative and associative, and includes the equations defined in Figure 6.The three first equations are quite standard. Equation (4) allows to decrypt ablinded ciphertext in order to get the corresponding blinded plaintext. Equa-tion (5) models the homomorphic combination of ciphertexts. Equation (6)represents the re-encryption of a ciphertext. The operation of unblinding is de-scribed through Equation (7). Equations (8), (9) and (10) allows respectivelythe verification of signatures and proofs of knowledge for pfk1 and pfk2 proofs.

RR n° 7781


fst(pair(x, y)) = x (1)snd(pair(x, y)) = y (2)

dec(penc(xplain, xrand, pk(xsk)), xsk) = xplain (3)dec(blind(penc(xplain, xrand, pk(xsk)), xblind), xsk) = blind(xplain, xblind) (4)

penc(xpl, xrand, xpub) penc(ypl, yrand, xpub) =

penc(xpl ypl,xrand ∗ yrand, xpub) (5)renc(penc(xplain, xrand, pk(xsk)), ysk) =

penc(xplain,xrand, pk(xsk + ysk)) (6)unblind(blind(xplain, xblind), xblind) = xplain (7)

checksign(xplain, vk(xid), sign(xplain, xid)) = Ok (8)checkpfk1(vk(xid), ball, pfk1(xid, xrand, xplain, ball)) = Ok

where ball = penc(xplain, xrand, xpub) (9)checkpfk2(vk(xid), ball, pfk2(xid, xbk, xplain, ball)) = Ok

where ball = renc(xplain, xbk) or ball = blind(xplain, xbk) (10)

Figure 6: Equations for encryption, blinding, signature amd proof of knowledge.

4.2 Norwegian protocol process specification

The description of the processes representing the actors of the protocol makesuse of auxiliary checks that are defined in Figure 7. For simplicity, we did notmodel re-voting.

The voting process V represents both the voter and his computer. It isparametrized by a free variable xvote representing voter’s vote and free namescauth, cRV which denote the channel shared with the voter and, respectively, theballot box and the receipt generator. g1 is a variable representing the public keyof the election, id is the secret id of the voter and idpR is a variable representingthe verification key of the receipt generator. Note that messages sent over cauthand cRV are also sent on the public channel cout to the adversary, to simulateauthenticated but not confidential channels.

φb(idi, x) = [(Π1(x),Π2(x),Π3(x)) = x∧checksign((Π1(x),Π2(x)), vk(idi),Π3(x)) = Ok∧ checkpfk1(vk(idi),Π1(x),Π2(x)) = Ok]

φs(idpR, x, y) = [checksign(x, idpR, y) = Ok]

φv(idpR, idi, x, y, v, z) = [checksign(x, idpR, y) = Ok ∧ d(p(idi), blind(v, s(idi))) = z]

(∀k = 1..3, xki = Πk(Π1(x)), ∀k = 4..7, xki = Πk−2(x))φr(idpi, x) = [(x1

i , x2i , x

3i ) = Π1(x) ∧ (Π1(x), x4

i , x5i , x

6i , x

7i ) = x

∧ checksign((x1i , x

2i ), idpi, x

3i ) = Ok ∧ checkpfk1(idpi, x

1i , x

2i ) = Ok

∧ checkpfk2(idpi, x4i , x

5i ) = Ok ∧ checkpfk2(idpi, x

6i , x

7i ) = Ok]

Figure 7: Auxiliary checks performed by the participants to the protocol.

Inria


V (cauth , cout, cRV , g1, id, idpR, xvote) = ν t .let e = penc(xvote, t, g1) inlet p = pfk1(id, t, xvote, e) inlet si = sign((e, p), id) incout〈(e, p, si)〉 .cauth〈(e, p, si)〉 . % encrypted ballot sent to BcRV (x) . cauth(y) .cout〈x〉 . cout〈y〉 .let hv = hash((vk(id), e, p, si)) in % recomputes what should

be sent by Rif φv(idpR, id, h, x, xvote, y) then cauth〈Ok〉 % checks validity

Process Bn corresponds to the ballot box, ready to listen to n voters. Theballots are coming from authenticated channels c1, . . . , cn and the ballot box cansend messages to the receipt generator, the decryption service and the auditorthrough secure channels cBR, cBD and cBA. The parameters of the ballot boxare keys : g1, g3 (public) and a2 (secret); public ids of voters idp1, . . . , idpn (i.e.verification keys) and corresponding blinding factors s1, . . . , sn. (Step c(sy1) isa technical synchronisation, it does not appear in the real specification.)

Bn(cBR, cBD, g1, a2, g3, idpR, c1, idp1, s1, . . . , cn, idpn, sn) =. . . . ci(xi) .if φb(idpi, xi) then % checks validity of ballotlet ei = renc(Π1(xi), a2) inlet pfkei = pfk2(idpi, a2,Π1(xi), ei) inlet bi = blind(ei, si) inlet pfk bi = pfk2(idpi, si, ei, bi) in % computes re-encrypted masked

ballot and corresponding proofs.cBR〈(xi, ei, pfkei , bi, pfkbi )〉.cBR(yi). % message sent to Rlet hbi = hash((vk(idi),Π1(xi),Π2(xi),Π3(xi))) inif φs(idpR, hbi, yi) then % checks validity of confirmationci〈yi〉 . ci(syi) . . . % transmit confirmation to the votercn〈yn〉 . cn(syn) .cBD〈Π1(x1)〉 . . . . . cBD〈Π1(xn)〉 . % output encrypted votes to the

Decryption ServicecBA〈x1〉 . . . . . cBA〈xn〉 % output the content to the Auditor

Receipt generator’s process is denoted by Rn. It deals with the ballot boxand the auditor through secure channels cBR and cRA and directly with votersthrough out-of-band channels cRV1

, . . . , cRVn . It is parametrized with keys: g1,g2 (public) and a3 (secret); the public ids of voters and corresponding receiptcoding functions parametrized by pr1, . . . , prn.

Rn(cBR, g1, g2, a3, idR, cRV1, idp1, pr1, . . . , cRVn , idpn, prn) =

. . . . cBR(xi) .let xki = Πk(Π1(xi)), k = 1..3 inlet xki = Πk−2(xi), k = 4...7 inif φr(idpi, xi) then % checks ballot box’s computationslet hbr i = hash((idpi, x

1i , x

2i , x

3i )) in

let hbpr i = hash((idpi, x1i , x

2i )) in

RR n° 7781


let ri = d(pri, dec(x6i , a3)) in % computes the receipt code for V

let sigi = sign(hbri, idR) in % computes confirmation for BcRVi〈ri〉 . cBR〈sigi〉 . . . .cRVn〈rn〉 . cBR〈sign〉 . . . .cRA〈(idp1, hbpr1, hbr1)〉 . . . . . cRA〈(idpn, hbprn, hbrn)〉

% output content to the Auditor

The decryption service is represented by process Dn. Communicating se-curely with the ballot box and the auditor through channels cBD and cDA, italso outputs results through public channel cout. In order to decrypt ballots, itneeds to know the secret key a1. We model two processes, one including a swapbetween the two first votes, to model the shuffling which is necessary to ensureballot secrecy.

Dn(cBD, cDA, cout, a1) =cBD(x1) . . . . . cBD(xn) .cDA〈hash((x1, . . . , xn))〉 . cDA(x) . % creating hash of ciphertexts and

waiting for auditor’s approvallet deck = dec(xk, a1), k = 1..n in % decryption of ciphertextscout〈dec1〉 . . . . . cout〈decn〉 % publication of results

Dn(cBD, cDA, cout, a1) =cBD(x1) . . . . . cBD(xn) .cDA〈hash((x1, . . . , xn))〉 . cDA(x) .let dec1 = dec(x2, a1) in % the swap between the two firstlet dec2 = dec(x1, a1) in votes is modelled herelet deck = dec(xk, a1), k = 3..n incout〈dec1〉 . . . . . cout〈decn〉

Finally, the auditor process, ADn, communicates with the other infrastruc-ture players using secure channels cBA, cRA and cDA. It knows public ids ofvoters.

ADn(cBA, cRA, cDA, idp1, . . . , idpn) =cDA(hd) . % input of contents of B, R and DcBA(x1) . . . . . cBA(xn) . cRA(h1) . . . . . cRA(h1) .let hbai = hash((Π1(xi),Π2(xi),Π3(xi))) inlet hbpai = hash((Π1(xi),Π2(xi))) inlet ha = hash((Π1(x1), . . . ,Πn(xn))) inif φa(x1, h1, idp1, . . . , xn, hn, idpn, h, hd) then cDA〈Ok〉 else 0

% checks and approval sent to D.

where φa(x1, h1, idp1, . . . , xn, hn, idpn, h, hd) = [(Π1(xi),Π2(xi),Π3(xi)) = xi∧(Π1(hi),Π2(hi),Π3(hi)) = hi ∧ Π2(hi) = hbpi ∧Π3(hi) = hbi ∧ hd = h∧ checksign((Π1(xi),Π2(xi)), idpi,Π3(xi)) = Ok]

The interaction of all the players is simply modelled by considering all theprocesses in parallel, with the correct instantiation and restriction of the pa-rameters. In what follows, the restricted name a1, a2, a3 model secret keysused in the protocol and public keys pk(a1), pk(a2) and pk(a3) are added inthe process frame. The restricted name c1, c2 and cRV1

, cRV2model authentic

channels between honest voters and, respectively, the ballot box and the receipt

Inria


generator. The restricted name id1, id2, idR represent secret ids of honest votersand receipt generator, the corresponding public id’s are added in the process’sframe.

Then the setting of the authorities is modelled by An [_] where n is thenumber of voters and the hole is the voter place. An [_] is the analogue ofAn [_] with the Decryption service swapping the two first votes (its use will beclearer in the next section, when defining vote privacy).

n = (a1, a2, id1, id2, idR, c1, c2, cRV1, cRV2

, cBR, cBD, cBA, cRA, cDA)Γ = pk(a1)/g1 ,

pk(a2)/g2 ,pk(a3)/g3 ,

vk(id1)/idp1 , . . . ,vk(idn) /idpn ,

vk(idR)/idpRAn [_] = ν n .(let a3 = a1 + a2 in [_|Bns(id1)/s1 , · · · ,s(idn) /sn

|Rnp(id1)/pr1 , · · · ,p(idn) /prn|Dn|ADn|Γ])An [_] = ν n .(let a3 = a1 + a2 in [_|Bns(id1)/s1 , · · · ,s(idn) /sn

|Rnp(id1)/pr1 , · · · ,p(idn) /prn|Dn|ADn|Γ])

The frame Γ represents the initial knowledge of the attacker: it has accessto the public keys of the authorities and the verification keys of the voters.Moreover, since only the two first voters are assumed to be honest, only theirtwo secret ids are restricted (in n). The attacker has therefore access to thesecret ids of all the other voters. Parameters of subprocesses are left implicitexcept for s1, . . . , sn for the ballot box and pr1, . . . , prn for the receipt generatorwhich are respectively replaced by s(id1), . . . , s(idn), the blinding factors, andp(id1), . . . , p(idn), used to distinguish the coding dunction associated to a voter.

5 Formal analysis of ballot secrecy

Our analysis shows that the Norwegian e-voting protocol preserves ballot se-crecy, even when all but two voters are corrupted, provided that the othercomponents are honest. We also identified several cases of corruption that aresubject to attacks. Though not surprising, these cases were not previously men-tioned in the literature.

5.1 Ballot secrecy with corrupted voters

Ballot secrecy has been formalized in terms of equivalence by Delaune, Kremer,and Ryan in [11]. A protocol with voting process V (v, id) and authority pro-cess A preserves ballot secrecy if an attacker cannot distinguish when votes areswapped, i.e. it cannot distinguish when a voter a1 votes v1 and a2 votes v2

from the case where a1 votes v2 and a2 votes v1. This is formally specified by:

νn.(A | V v2/x,a1 /y | V v1/x,a2 /y) ≈l νn.(A | V v1/x,a1 /y | V v2/x,a2 /y)

We are able to show that the Norwegian protocol preserves ballot secrecy,even all but two voters are corrupted.

RR n° 7781


Theorem 3. Let n be the number of voters. The Norwegian e-voting protocolprocess specification satisfies ballot secrecy with the auditing process, even withn− 2 voters are corrupted, provided that the other components are honest.

An[V c1/cauth ,cRV1 /cRV σ | V c2/cauth ,cRV2 /cRV τ ]

≈l An [V c1/cauth ,cRV1 /cRV τ |V c2/cauth ,cRV2 /cRV σ]

where σ = v1/xvote and τ = v2/xvote.

We can also show ballot secrecy, without an auditor. This means that theauditor does not contribute to ballot secrecy in case the administrative compo-nents are honest (which was expected). Formally, we define A′n [_] and An [_]

′

to be the analog of An [_] and An [_], removing the auditor.

Theorem 4. Let n be the number of voters. The Norwegian e-voting protocolprocess specification satisfies ballot secrecy without the auditing process, evenwith n− 2 voters are corrupted, provided that the other components are honest.

A′n[V c1/cauth ,cRV1 /cRV σ | V c2/cauth ,cRV2 /cRV τ ]

≈l A′n [V c1/cauth ,cRV1 /cRV τ |V c2/cauth ,cRV2 /cRV σ]

where σ = v1/xvote and τ = v2/xvote.

The proof of Theorems 3 and 4 works in two main steps. First we guessa relation R such that for any two processes P,Q in relation (PRQ) anymove of P can be matched by a move of Q such that the resulting processesremain in relation. This amounts to characterize all possible successors ofAn[V c1/cauth ,cRV1 /cRV σ | V c2/cauth ,cRV2 /cRV τ ] andAn[V c1/cauth ,cRV1 /cRV τ|V c2/cauth ,cRV2 /cRV σ]. We show in particular that whenever the attacker sendsa term N that is accepted by the ballot box for a voter with secret id id, thenN is necessarily an id - valid ballot for the following definition.

Definition 5. Let id ∈ id1, . . . , idn. A term N is said to be a id - valid ballotif φb(id,N) = true, equivalently : N = (N1, N2, N3)

checksign((N1, N2), vk(id), N3) =E Okcheckpfk1(vk(id), N1, N2) =E Ok

.

The second and most involved step of the proof consists in showing that thesequences of messages observed by the attacker remain in static equivalence.This requires to prove an infinite number of static equivalences. Let us introduce

Inria


some notations.

θsub = pk(a1)/g1|pk(a2)/g2|pk(a3)/g3|vk(idR)/idpR|ball1/b1|ballo2/b2|vk(idi)/idpi| i = 1..n|d(p(idi),dec(blind(renc(Π1(xi),a2),s(idi)),a3))/yi|sign(hash((vk(idi),xi)),idR)/zi| i = 1..n

ΣL = v1/x1vote

,v2 /x2vote

ΣR = v2/x1vote

,v1 /x2vote

θct = dec(Π1(x1),a1)/result1 ,dec(Π1(x2),a1) /result2 ,

dec(Π1(xi),a1) /resulti |i = 3..nθct = dec(Π1(x2),a1)/result1 ,

dec(Π1(x1),a1) /result2 ,dec(Π1(xi),a1) /resulti |i = 3..n

where ball1 and ball2 are the terms sent by the two honest voters.

The frame θsub represents the messages sent over the (public) network duringthe submission phase. ΣL represents the scenario where voter 1 votes v1 andvoter 2 votes v2 while ΣL represents the opposite scenario. thetact and θctrepresent the results published by the decryption service.

All voters with secret id idi with i ≥ 3 are corrupted. Therefore, the at-tacker can submit any deducible term as a ballot, that is any term that can berepresented by Ni with fv(Ni) ⊆ dom(θ)\yj , zjj≥i (i.e. a recipe that can onlyre-use previously received messages). We are able to show that whenever themessage submitted by the attacker is accepted by the ballot box, then NiθiΣ isnecessarily an idi-valid ballots for Σ ∈ ΣL,ΣR.

A key result of our proof is that the final frames are in static equivalence,for any behavior of the corrupted users (reflected in the Ni).

Proposition 6. Let NiθiΣ be idi-valid ballots for Σ ∈ ΣL,ΣR and i ∈3, . . . , n, we have:

νn.(θsub |θct)σNΣL ≈s νn.(θsub |θct)σNΣR.where σN = ball1/x1

, ball2/x2, Nj/xj | j ∈ 3, . . . , n.

5.2 AttacksOur two previous results of ballot secrecy hold provided all the administrativecomponents (bulletin box, receipt generator, decryption service, and auditor)behave honestly. However, in order to enforce the level of trust, the votingsystem should remain secure even if some administrative components are cor-rupted. We describe below two cases of corruption where ballot secrecy is nolonger guaranteed.

Dishonest decryption service. The decryption service is a very sensitivecomponent since it has access to the decryption key a1 of the public key used forthe election. Therefore, a corrupted decryption service can very easily decryptall encrypted ballots and thus learns the votes as soon as he has access to thecommunication between the voters and the bulletin box (these communicationsbeing conducted on the public Internet network). Even if we did not find anyexplicit mention of this, we believe that the designers of the protocol implicitlyassume that a corrupted decryption would not be able to control (some of) thecommunication over the Internet. However, a corrupted decryption service canlearn the votes even without access to Internet. Indeed, the ballots are sent by

RR n° 7781


the bulletin box in the same order they arrived to the bulletin box. Assume forexample that the decryption service knows that Alice has voted first (or last). Itcan then very easily learns her vote when decrypting the first ballot it receives.More generally, provided the decryption service has access to some informationon the order of the votes, it then gains some knowledge on the votes.

Dishonest bulletin box and receipt generator. Clearly, if the bulletinbox and the receipt generator collude, they can compute a1 = a3 − a2 andthey can then decrypt all incoming encrypted ballots. More interestingly, acorrupted receipt generator does not need the full cooperation of the bulletinbox for breaking ballot secrecy. Indeed, assume that the receipt generator hasaccess, for some voter V , to the blinding factor sV used by the bulletin to blindthe ballot. Recall that the receipt generator retrieves f(o)sV when generatingthe receipt codes (by computing wx−a3). Therefore, the receipt generator cancompute f(o′)sV for any possible voting option o′. Comparing with the obtainedvalues with f(o)sV it would easily deduce the chosen option o. Of course, themore blinding factors the receipt generator can get, the more voters it canattack. Therefore, the security of the protocol strongly relies on the security ofthe blinding factors which generation and distribution are left unspecified in thedocumentation. The bulletin box can also perform a similar attack, providedit can learn some coding function dV and additionally, provided that it hasaccess to the SMS sent by the receipt generator, which is probably a too strongcorruption scenario.

6 Further corruption cases using ProVerifIn order to study further corruption cases, we have used ProVerif, the onlytool that can analyse equivalence properties in the context of security protocols.Of course, we needed to simplify the equational theory since ProVerif doesnot handle associative and commutative (AC) symbols and our theory needsfour of them. So we have considered the theory E′ defined by the equationsof Figure 6, except equation (5) that represents homomorphic combination ofciphertexts and we have replaced AC symbols + and ∗ by free function symbolsf and g. Using this simplified theory, it is clear that we can miss some attacks,but testing corruption assumptions is still relevant even if the attacker is a bitweaker than in our first study.

As ProVerif is designed to prove equivalences between processes that differonly by terms, we need to use another tool, ProSwapper [15], to model theshuffle done by the decryption service. More precisely, we actually used theiralgorithm to compute directly a shuffle in our ProVerif specification.

The results are displayed in Table 1 and 2 and have been obtained witha standard (old) laptop1. In these tables, X indicates that ballot secrecy issatisfied, × shows that there is an attack, and - indicates that ProVerif was notable to conclude. No indication of times means that we do not proceed to a testin ProVerif but, as we already knew that there was an attack. In particular, allthe attacks described in Section 5.2 are displayed in the tables.

Our case study with ProVerif indicates that ballot secrecy is still preservedeven when the Receipt Generator is corrupted (as well as several voters), at

12.00 Ghz processor with 2 GB of RAM Memory

Inria


Table 1: Results and computation times for the protocol without auditor.hhhhhhhhhhhhhhhCorr. Players

Corr. Voters 0 1 2 5 10

None X X X X X0.4" 0.9" 2.4" 16.1" 20’59"

Ballot Box (B) ->1h

Receipt Generator (R) X X X X X1.1" 2.4" 5.7" 1’15" 39’30"

Decryption Service (D) × ×0.2"

B + R × ×0.3"

D+B, D+R, D+R+B x

Table 2: Results and computation times for the protocol with auditor.hhhhhhhhhhhhhhhCorr. Players

Corr. Voters 0 1 2 3 4

None X X X X X0.6" 1,8" 4.1" 27.7" 11’1"

Ballot Box (B) ->1h

Receipt Generator (R) X X X X X1.1" 1.9" 5.9" 29.1" 10’33"

Auditor (A) X X X X X0.4" 1.9" 2.6" 5.8" 12.1"

R + A X X X X X0.6" 1.9" 5.5" 14.5" 34.4"

B+R, B+R+A, D xD + any other combination

least in the simplified theory. Unfortunately, ProVerif was not able to concludein the case the Ballot Box is corrupted.

7 Discussion

We have proposed the first formal proof that the e-voting protocol recently usedin Norway indeed satisfies ballot secrecy, even when all but two voters are cor-rupted and even without the auditor. As expected, ballot secrecy is no longerguaranteed if both the bulletin box and the receipt generator are corrupted.Slightly more surprisingly, the protocol is not secure either if the decryptionservice is corrupted, as discussed in Section 5.2. More cases of corruption need

RR n° 7781


to be studied, in particular when the bulletin board alone is corrupted, we leavethis as future work. In addition, it remains to study other security propertiessuch as coercion-resistance or verifiability. Instead of doing additional (long andtechnical) proofs, a further step consists in developing a procedure for automat-ically checking for equivalences. Of course, this is a difficult problem. A firstdecision procedure has been proposed in [9] but is limited to subterm convergenttheories. An implementation has recently been proposed [8] but it does not sup-port such a complex equational theory. An alternative step would be to developa sound procedure that over-approximate the relation, losing completeness inthe spirit of ProVerif [6] but tailored to privacy properties.

We would like to emphasize that the security proofs have been conducted ina symbolic thus abstract model. This provides a first level of certification, rulingout “logical” attacks. However, a full computational proof should be developed,identifying in particular the security assumptions.

It is also important to note that the security of the protocol strongly relieson the way initial secrets are pre-distributed. For example, three private de-cryption keys a1, a2, a3 (such that a1 +a2 = a3) need to be securely distributedamong (respectively) the bulletin board, the receipt generator and the decryp-tor. Also, a table (id, s(id)) containing the blinding factor for each voter needsto be securely distributed to bulletin board and a table (id, did) containing apermutation for each voter needs to be securely distributed to the receipt gen-erator. Moreover, anyone with access with both the codes mailed to the votersand to the SMS emitted by the receipt generator would immediately learn thevalues of all the votes. We did not find in the documentation how and by whoall these secret values were distributed. It should certainly be clarified as itcould be a weak point of the system.

References

[1] http://www.dw-world.de/dw/article/0„4069101,00.html.

[2] Web page of the norwegian government on the deployment of e-voting.http://www.regjeringen.no/en/dep/krd/prosjekter/e-vote-2011-project.html.

[3] M. Abadi and C. Fournet. Mobile values, new names, and secure communi-cation. In Proc. of the 28th ACM Symposium on Principles of ProgrammingLanguages (POPL’01), pages 104–115, January 2001.

[4] B. Adida. Helios: Web-based Open-Audit Voting. In USENIX Security’08:17th USENIX Security Symposium, pages 335–348. USENIX Association,2008.

[5] D. Bernhard, V. Cortier, O. Pereira, B. Smyth, and B. Warinschi. Adapt-ing Helios for provable ballot secrecy. In ESORICS’11: 16th EuropeanSymposium on Research in Computer Security, LNCS. Springer, 2011. Toappear.

[6] B. Blanchet. An automatic security protocol verifier based on resolutiontheorem proving (invited tutorial). In 20th International Conference onAutomated Deduction (CADE-20), Tallinn, Estonia, July 2005.

Inria


[7] B. Blanchet, M. Abadi, and C. Fournet. Automated verification of selectedequivalences for security protocols. In 20th IEEE Symposium on Logic inComputer Science (LICS 2005), pages 331–340. IEEE Computer Society,June 2005.

[8] V. Cheval, H. Comon-Lundh, and S. Delaune. Trace equivalence decision:Negative tests and non-determinism. In 18th ACM Conference on Com-puter and Communications Security (CCS’11). ACM Press, Oct. 2011. Toappear.

[9] V. Cortier and S. Delaune. A method for proving observational equivalence.In CSF’09: 22nd Computer Security Foundations Symposium, pages 266–276. IEEE Computer Society, 2009.

[10] V. Cortier and B. Smyth. Attacking and fixing Helios: An analysis of bal-lot secrecy. In CSF’11: 24th Computer Security Foundations Symposium,pages 297–311. IEEE Computer Society, 2011.

[11] S. Delaune, S. Kremer, and M. D. Ryan. Verifying privacy-type propertiesof electronic voting protocols. Journal of Computer Security, 17(4):435–487, 2009.

[12] A. J. Feldman, J. A. Halderman, and E. W. Felten. Security analysis ofthe diebold accuvote-ts voting machine. http://itpolicy.princeton.edu/voting/, 2006.

[13] A. Fujioka, T. Okamoto, and K. Ohta. A Practical Secret Voting Schemefor Large Scale Elections. In AUSCRYPT’92: Workshop on the Theoryand Application of Cryptographic Techniques, volume 718 of LNCS, pages244–251. Springer, 1992.

[14] K. Gjøsteen. Analysis of an internet voting protocol. Cryptology ePrintArchive, Report 2010/380, 2010. http://eprint.iacr.org/.

[15] P. Klus, B. Smyth, and M. D. Ryan. ProSwapper: Improved equivalenceverifier for ProVerif. http://www.bensmyth.com/proswapper.php, 2010.

[16] S. Kremer, M. D. Ryan, and B. Smyth. Election verifiability in electronicvoting protocols. In ESORICS’10: 15th European Symposium on Researchin Computer Security, volume 6345 of LNCS, pages 389–404. Springer,2010.

[17] B. Lee, C. Boyd, E. Dawson, K. Kim, J. Yang, and S. Yoo. ProvidingReceipt-Freeness in Mixnet-Based Voting Protocols. In ICISC’03: 6th In-ternational Conference on Information Security and Cryptology, volume2971 of LNCS, pages 245–258. Springer, 2004.

[18] J. Liu. A Proof of Coincidence of Labeled Bisimilarity and Observa-tional Equivalence in Applied Pi Calculus. http://lcs.ios.ac.cn/~jliu/papers/LiuJia0608.pdf, 2011.

[19] T. Okamoto. Receipt-Free Electronic Voting Schemes for Large Scale Elec-tions. In SP’97: 5th International Workshop on Security Protocols, volume1361 of LNCS, pages 25–35. Springer, 1998.

RR n° 7781

http://itpolicy.princeton.edu/voting/

http://itpolicy.princeton.edu/voting/

http://eprint.iacr.org/

http://www.bensmyth.com/proswapper.php

http://lcs.ios.ac.cn/~jliu/papers/LiuJia0608.pdf

http://lcs.ios.ac.cn/~jliu/papers/LiuJia0608.pdf


[20] S. Wolchok, E. Wustrow, J. A. Halderman, H. K. Prasad, A. Kankipati,S. K. Sakhamuri, V. Yagati, and R. Gonggrijp. Security analysis of india’selectronic voting machines. In Proc. 17th ACM Conference on Computerand Communications Security (CCS 2010), Chicago, IL, October 2010.

Inria


A Proof of Static equivalence

A.1 Definitions and notationsDefinition 7. Let N3, . . . , Nn be free terms. We use the following notations,for n ∈ N, i ∈ 1, 2 and j ∈ 1, . . . , n :

ei = penc(xivote, ti, pk(a1)) pfk i = pfk1(idi, ti, xivote, ei)

sigi = sign((ei, pfk i), idi) balli = (ei, pfk i, sigi)hvi = hash((vk(idi), ei, pfk i, sigi)) sj = s(idj)e′j = renc(Π1(xj), a2) pfk ′j = pfk2(idpj , a2,Π1(xj), e

′j)

e′′j = blind(e′j , sj) pfk ′′j = pfk2(idpj , sj , e′j , e′′j )

ball′j = (xj , e′j , pfk

′j , e′′j , pfk

′′j ) hbbj = hash((idpj , xj))

prj = p(idj) rj = d(prj , dec(Π6(pj), a3))hbrj = hash((idpj ,Π1(pj),Π2(pj),Π3(pj))) sigRj = sign(hbrj , idR)hbprj = hash((idpj ,Π1(pj),Π2(pj))) decj = dec(dj , a1)σ = v1/x1

vote τ = v2/x1

vote

ΣL = v1/x1vote

,v2 /x2vote ΣR = v2/x1

vote,v1 /x2

vote

R = dec(Π1(x1),a1)/result1|dec(Π1(x2),a1)/result2R = dec(Π1(x2),a1)/result1|dec(Π1(x1),a1)/result2θ = pk(a1)/g1|pk(a2)/g2|pk(a3)/g3|vk(idR)/idpR|ballot1/b1|ballot2/b2|

vk(idi)/idpi| i = 1..n|dec(Π1(xi),a1)/resulti| i = 3..n|d(p(idi),dec(blind(renc(Π1(xi),a2),s(idi)),a3))/yi|sign(hash((vk(idi),xi)),idR)/zi| i = 1..n,

Some notation around θ (Note that θresn = θd) :

θd =pk(a1)/g1|pk(a2)/g2|pk(a3)/g3|vk(idR)/idpR|penc(xvotei ,ri,pk(a1))/ei|

pfk1(idi,ri,xvotei ,ei)/pfki|

sign((ei,pfki),idi)/sigi| i = 1, 2|vk(idi)/idpi| i = 1..n|d(p(idi),dec(blind(renc(Π1(xi),a2),s(idi)),a3))/yi|sign(hash((vk(idi),xi)),idR)/zi| i = 1..n|dec(Π1(xi),a1)/resulti| i = 3..n,

θd0 =pk(a1)/g1|pk(a2)/g2|pk(a3)/g3|vk(idR)/idpR|penc(xvotei ,ri,pk(a1))/ei|

pfk1(idi,ri,xvotei ,ei)/pfki|

sign((ei,pfki),idi)/sigi| i = 1, 2|vk(idi)/idpi| i = 1..n,

θ1 = θd0 ∪ d(p(id1),dec(blind(renc(Π1(x1),a2),s(id1)),a3))/y1∪ sign(hash((vk(id1),x1)),idR)/z1

θi = θi−1 ∪ d(p(idi),dec(blind(renc(Π1(xi),a2),s(idi)),a3))/yi∪ sign(hash((vk(idi),xi)),idR)/zi

θres3 = θn ∪ dec(Π1(x3),a1)/result3θresi = θresi−1 ∪ dec(Π1(xi),a1)/resulti for i = 4..n.

RR n° 7781


Given N3, . . . , Nk such that NiθiΣ is an idi-valid ballots for Σ ∈ ΣL,ΣR andi ∈ 3, . . . , k, we define :

σkN

= ballot1/x1, ballot2/x2

, Nj/xj | j ∈ 3, . . . , kσnN

= σN

A.2 Proving static equivalence

Our aim is to prove this proposition :

Proposition 6. Let NiθiΣ be idi-valid ballots for Σ ∈ ΣL,ΣR and i ∈3, . . . , n, we have:

νn.(θsub |θct)σNΣL ≈s νn.(θsub |θct)σNΣR.where σN = ball1/x1

, ball2/x2, Nj/xj | j ∈ 3, . . . , n.

Since one can see that, with notations defined above, θsub |θct = θ|R andθsub |θct = θ|R, we will prove this proposition which is equivalent :

Proposition 8. Let NiθiΣ be idi-valid ballots for Σ ∈ ΣL,ΣR and i ∈3, . . . , n, we have :

νn.(θ|R)σNΣL ≈s νn.(θ|R)σNΣR.

Let us introduce useful lemmas in order to do the proof of the proposition8.

Lemma 9. Let φ = νn.θ and φ′ = νn.θ′ be frames such that θ = θ′ ∪ Mθ′/ywith free M . Then :

φΣL ≈s φΣR ⇐⇒ φ′ΣL ≈s φ′ΣR.

Proof. =⇒ Let N , P be terms such that (fn(N)∪ fn(P ))∩ n = ∅ and fv(N)∪fv(P ) ∈ dom(θ′). Suppose thatNθ′ΣL =E Pθ′ΣL. We also haveNθΣL =E

PθΣL and, since φΣL ≈s φΣR, then NθΣR =E PθΣR. As fv(N)∪fv(P ) ∈dom(θ′), we finally have Nθ′ΣR =E Pθ′ΣR.

⇐= Let N , P be terms such that (fn(N)∪ fn(P ))∩ n = ∅ and fv(N)∪ fv(P ) ∈dom(θ). Suppose that NθΣL =E PθΣL. There are two cases :

– If y /∈ fv(N)∪ fv(P ) then we have Nθ′ΣL =E Pθ′ΣL. Since φ′ΣL ≈sφ′ΣR, then Nθ′ΣR =E Pθ′ΣR and, finally, NθΣR =E PθΣR.

– If y ∈ fv(N) ∪ fv(P ) then, suppose, w.l.o.g. that y ∈ fv(N), then∃p such that N |p = y and we have N [M ]pθ

′ = Nθ. Thus, we have: NθΣL =E N [M ]pθ

′ΣL =E Pθ′ΣL =E PθΣL. (y /∈ fv(P ) other-wise we substitute all y by M in P as done in N .) Using the factthat φ′ΣL ≈s φ′ΣR, we have N [M ]pθ

′ΣR =E Pθ′ΣR and, finally,NθΣR =E PθΣR.

Inria


Lemma 10. Let φ2 = νn.θ2. Then, we have :

φ2σ2N

ΣL ≈s φ2σ2N

ΣR.

Proof. Note that the adversary can arbitrarily combine ciphertexts from theframe with ciphertexts in the frame or freshly constructed ciphertexts, thus weenrich the frame φdev with any such combination of ciphertexts. Formally, forany α1, α2 ∈ N and free terms K,P,R, we define Cα1,α2,K,P,R as follows :

penc(P 2i=1 αi.xvotei , R ∗2i=1 r

αii , pk(a

δ′(α1,α2)1 +K))

with δ′(a, b) = 0 if a = b = 0 and δ′(a, b) = 1 otherwise, a01 = ε, the null term,

and a11 = a1. We define the extended frame φe below.

φe =νn.(θd2 |Cα1,α2,K,P,R/xα1,α2,K,P,R| α1, α2 ∈ N and terms K,P,R such that

(fn(K) ∪ fn(P ) ∪ fn(R)) ∩ n = ∅, fv(K,P,R) ⊆ dom(φe).)

Note that φe is infinite. Using Lemma 9, it is sufficient to show φeΣL ≈s φeΣR.We introduce the following two claims.

Claim 1. Let M be a term such that fv(M) ⊆ dom(φe) = ∅ and fn(M)∩ n =∅. If MφeΣ −→ U for some Σ ∈ ΣL,ΣR, then there exists N such thatU =AC NφeΣ and MφeΣ

′ −→ NφeΣ′ for any Σ′ ∈ ΣL,ΣR.

Claim 2. Let M , N be two terms such that (fv(M)∪ fv(N)) ⊆ dom(φe) = ∅and fn(M,N) ∩ n = ∅. If MφeΣ =AC NφeΣ for some Σ ∈ ΣL,ΣR, thenMφe =AC Nφe.

The above claims allow the construction of our proof. LetM , N be two termssuch that fn(M,N) ∩ n = ∅, fv(M,N) ⊆ dom(φe) and MφeΣL =E NφeΣL.Thus (MφeΣL)↓=AC (NφeΣL)↓. Applying repeatedly Claim 1, we deduce thatthere exists M ′ such that (MφeΣL)↓=AC M ′φeΣL and MφeΣR −→∗ M ′φeΣR.Similarly, there exists N ′ such that (NφeΣL)↓=AC N ′φeΣL and NφeΣR −→∗N ′φeΣR. From M ′φeΣL =AC N ′φeΣL and Claim 2, we deduce M ′φe =AC

N ′φe. Therefore, M ′φeΣR =AC N ′φeΣR and thus MφeΣR =E NφeΣR.Proof of Claim 1 : This result is proved by inspection of the rewrite rules.

More precisely, assume that MφeΣ −→ U for some Σ ∈ ΣL,ΣR. It meansthat there exists a rewriting rule l −→ r ∈ RE and a position p such thatMφeΣ|p =AC lθ for some θ. p cannot occur below M since φeΣ is in normalform. If M |p = lθ′ for some θ′ then we conclude that we can rewrite M asexpected. The only interesting case is thus when M |p is not an instance of lbut MφeΣ|p is. By inspection of the rules, l −→ r can only correspond to oneof the five equations (3), (4), (5), (6) and (7). The case of equations (3) or (4)is ruled out by the fact that a1 is not deducible from φeΣ. This is the samefor the case of equation (7) since idi are not deducible from φeΣ. If the ruleis corresponding to (5), then it must be the case that M |p = x y with x, yvariables of dom(φe). By construction of φe, we have that (x y)φe → zφe(applying the rule corresponding to Equation (5)), thus the result. The lastcase is when the rule is corresponding to Equation (6). This must be the casethatM |p = renc(x,K) with x ∈ dom(φe) and K a term such that fn(K)∩ n = ∅and fv(K) ⊆ dom(φe). By construction of φe, we have that renc(x,K) → yφeand we have the result.

Proof of Claim 2 : Assume by contradiction that there exist M , N twoterms such that MφeΣ =AC NφeΣ for some Σ ∈ ΣL,ΣR and Mφe 6=AC

RR n° 7781


Nφe. Consider M , N two minimal terms that satisfy this property. By caseinspection, it must be the case thatM and N are both variables. Thus, we havexφeΣ =AC yφeΣ and xφe 6=AC yφe with x, y ∈ dom(φe) and x 6= y. Then, wehave head(xφeΣ) ∈ blind, penc, pfk1, sign. But, by construction of φe, Σ doesnot change the randomness used in penc or in pfk1 and the secret ids in blindor sign, thus, randomness or id uniquely determine the variable, which impliesx = y, contradiction.

Lemma 11. We have :

• νn.θ 0 ai + U , for i = 1, 3 and any term U .

• νn.θ 0 ri ∗ U , for i = 1, 2 and any term U .

• νn.θ 0 idi, for i = 1, 2.

• νn.θ 0 p(idi), for i = 1, 2.

Proof. We define four properties :

1. Let N be a deducible term such that ∃ p such that N |p = ai + U fori ∈ 1, 2, 3 and any term U . There are two cases :

• U = ε (ai + ε = ai) and p = p′.2 such that N |p′ = f(N ′, ai) withf ∈ dec, renc.

• p = p′.1.q such that N |p′ =AC pk(ai + U ′) for some U ′ and ∀ q′ < q,head(N |p′.1.q′) = +.

2. Let N be a deducible term such that ∃ p such that N |p = ri ∗ U fori ∈ 1, 2 and any term U . There are two cases :

• p = p′.2.q such that N |p′ =AC penc(P1, ri ∗ U,K1) and ∀ q′ < q,head(N |p′.2.q′) = ∗.

• p = p′.2.q such that N |p′ =AC pfk1(P1, ri ∗ U,P2, P3) and ∀ q′ < q,head(N |p′.2.q′) = ∗.

3. Let N be a deducible term such that ∃ p such that N |p = idi for i ∈ 1, 2.There are four cases :

• p = p′.1 and N |p′ = vk(idi).

• p = p′.1 and N |p′ = p(idi).

• p = p′.1 and N |p′ = s(idi).

• p = p′.1 and N |p′ = pfk1(idi, P1, P2, P3).

• p = p′.2 and N |p′ = sign(N ′, idi).

4. Let N be a deducible term such that ∃ p such that N |p = p(idi) fori ∈ 1, 2. Then, p = p′.1 and N |p′ = d(p(idi),M).

We can see that these properties imply the undeducibility of ai + U , ri ∗ U ,idi and p(idi). Let us prove these properties by induction on the number ofsteps needed to deduce N .

Inria


Base Case : All terms in the frame θ verify these properties.

Induction Hypothesis : Let M1, . . . ,Mk be terms in normal form, de-ducible in i − 1 steps verifying the properties. We are going to prove thatf(M1, . . . ,Mk)↓ also verifies them. There are two main cases :

• If f(M1, . . . ,Mk) is in normal form, then it is obvious that the result istrue.

• If it is not in normal form, then, sinceM1, . . . ,Mk are in normal form, thereduction occurs in head.

– If the applied rule is different from (4), (5) and (6), then the resultis a subterm of M1, . . . ,Mk and it is verifying the properties, usingthe induction hypothesis.

– If the rule (4) is applied, then dec(M1,M2) −→ blind(T1, T2) withT1 and T2 subterms of M1, M2 and are verifying the property byinduction hypothesis. Then, blind(T1, T2) verify the properties.

– If the rule (5) is applied, then (M1,M2) −→ penc(T1T2, R1∗R2, P )with T1, T2, R1, R2, P subterms of M1, M2. The result may benot in normal form if head(T1) = head(T2) = penc and if encryp-tions use the same key, then the rule (5) is applied again. It canbe applied several time, but the reduction will stop since M1 andM2 are terms with fixed length. Then the result will be of the formpenc(. . . penc(T ′1 T ′2, R′1 ∗R′2, P ′) . . . , R1 ∗R2, P ) where all terms aresubterms of M1 and M2. Then, each penc, in normal form, will ver-ify the properties. Thus, the result, in normal form, is verifying theproperties too.

– Finally, if the rule (6) is applied, then renc(M1,M2) −→ penc(T,R,pk(P1+P2)) with T , R, P1 and P2 subterms ofM1 andM2. Thanks tothe induction hypothesis, we can see that the the result is satisfyingthe property. Indeed, whatever the case where ai is a subterm of P1

or P2, ∃ P ′ such that P1 + P2 =AC ai + P ′.

Note. If, ∀ U , ri ∗U and ai +U are not deducible, then using U = ε such thatri ∗ U = ri or ai + U = ai, we have that ri and ai are not deducible too.

Lemma 12. Let φ = νn.θn and N a minimal recipe of (Nφ)↓ such that N =f(N1, . . . , Nk) with f ∈ dec, fst, snd, unblind. Then :

(Nφ)↓= f((N1φ)↓, . . . , (Nkφ)↓)

RR n° 7781


Proof. Let us prove this by induction on the depth of N .

Base Case : N = f(N1, . . . , Nk) with N1, . . . , Nk variables or names.

• If f ∈ fst, snd, since @ x ∈ dom(φ) such that head(xφ) = pair, weconclude immediately.

• If f = dec and N = dec(N1, N2), then N1 ∈ e1, e2 but if there is areduction, it means that we have N2φ = a1 which is impossible as a1 isnot deducible by Lemma 11.

• If f = unblind and N = unblind(N1, N2), then N1 ∈ y1, y2 since yk whichare reducing are removing from the frame. But if there is a reduction, itmeans that we have N2φ = idi which is impossible as idi are not deducibleby Lemma 11.

Induction Hypothesis : We suppose that ∀ term M with a depth ≥ 1satisfies the property. Let N = f(N1, . . . , Nk) of a depth equal to n+ 1 with Niof depths ≤ n. If f((N1φ)↓, . . . , (Nkφ)↓ is in normal form, we conclude easily.Suppose that f((N1φ)↓, . . . , (Nkφ)↓ is not in normal form.

• If f ∈ fst, snd and N = f(N1). The case where N1 is a variable isexcluded. Then N1 = g(N ′1, . . . , N

′k) with g ∈ dec, fst, pair, snd, unblind.

– If g ∈ dec, fst, snd, unblind, using the induction hypothesis, we have(N1φ)↓= g((N ′1φ)↓, . . . , (N ′kφ)↓) and, thus, (Nφ)↓= f((N1φ)↓).

– If g = pair we have a contradiction with the minimality of N .

• If f = dec and N = dec(N1, N2). The case where N1 is a variable is ex-cluded. ThenN1 = g(N ′1, . . . , N

′k) with g ∈ dec, fst, penc, renc, snd, unblind,

.

– If g ∈ dec, fst, snd, unblind, we conclude thanks to the inductionhypothesis.

– If g = penc, there is a contradiction with the minimality of N .

– Finally, the case when g ∈ renc, . We can have a finite (sincedepths are finite) sequence of renc((renc((. . . )))) or (renc((. . . ))).But if there is a reduction with the dec function, then we must haveN1φ =E penc(W1,W2, pk(W3)) with W3 =E N2φ. Moreover, N2

is deducible, then pk(W3) is also deducible and can not contain ai.Since there is no variable in the frame referring to such a key, itmust come from one (or two in the case of a sequence finishing by) penc(P1, P2, pk(P3)) subterm of N1, a contradiction with the min-imality of N .

• If f = unblind and N = unblind(N1, N2). The case where N1 is a variable isexcluded. Then N1 = g(N ′1, . . . , N

′k) with g ∈ blind, dec, fst, snd, unblind.

– If g ∈ dec, fst, snd, unblind, we conclude thanks to the inductionhypothesis.

– If g = blind, there is a contradiction with the minimality of N .

Inria


Definition 13. Let |.| be a measure of the length of a term M such that :

• |u| = 1 for u a constant,

• |f(u1, . . . , un)| =∑|ui| for all f ∈ +, ∗, , .

• |f(u1, . . . , un)| = 1 +∑|ui| otherwise.

We define another measure L which is defined as L(M) = (#(M), |M |) with#(M) the number of symbols under renc or penc symbols.

Lemma 14. Let k ≥ 3, Nkθk−1σk−1

NΣL be an idk-valid ballot. We suppose that

θk−1σk−1

NΣL ≈s θk−1σ

k−1

NΣR. Then, we have, for Σ ∈ ΣL,ΣR :

• Nkθk−1σk−1

NΣ =E (M,N,P )θk−1σ

k−1

NΣ with free M , N , P .

• Nθk−1σk−1

NΣ =E pfk1(idk, N1, N2, N3)θk−1σ

k−1

NΣ with free N1, N2, N3.

• Mθk−1σk−1

NΣ =E penc(N2, N1, U)θk−1σ

k−1

NΣ with free U or U = pk(ai +

U ′) with free U ′ and ai ∈ a1, a2, a3.

Proof. Let k ∈ 3, . . . , n. Let Nk such that Nkθk−1σk−1

NΣL is a idk-valid

ballot. Let N ′k minimal in size - according to the measure of length L definedin Definition 13 - such that :

N ′kθk−1σk−1

NΣL =E Nkθk−1σ

k−1

NΣL (b)

Using Definition 5, we have N ′kθk−1σk−1

NΣL = (N1, N2, N3).

• Let suppose that N ′k is a variable. Since @ x ∈ dom(θk−1) such thatxθk−1σ

k−1

NΣL is a idk-valid ballot, there is a contradiction.

• Thus, N ′k = f(P1, . . . , Pm) with f ∈ dec, fst, pair, snd, unblind since onlyequations (1), (2), (3) and (7) can lead to (N1, N2, N3).

– If f ∈ dec, fst, snd, unblind, using Lemma 12, we have a contradic-tion with the fact that head(N ′kθk−1σ

k−1

NΣL) = pair.

– If f = pair, then N ′k = (M,N,P ), with some free M , N , P . Thus wehave :

N ′kθk−1σk−1

NΣL =E (M,N,P )θk−1σ

k−1

NΣL =E Nkθk−1σ

k−1

NΣL.

Since (Nk =E (M,N,P ))θk−1σk−1

NΣL and φk−1σ

k−1

NΣL ≈s φk−1σ

k−1

N

ΣR, we have (Nk =E (M,N,P ))θk−1σk−1

NΣR. Thus, for Σ ∈ ΣL,ΣR,

we have :Nkθk−1σ

k−1

NΣ =E (M,N,P )θk−1σ

k−1

NΣ.

RR n° 7781


Moreover, Definition 5 gives us now that Nθk−1σk−1

NΣL =E pfk1(idk, P1, P2,

P3).

• N cannot be a variable since there is no x ∈ dom(θk−1) such that xθk−1σk−1

NΣL = pfk1(idk, P1, P2, P3).

• Thus, N = f(N1, . . . , Np) with f ∈ dec, fst, pfk1, snd, unblind since onlyequations (1), (2), (3) and (7) can lead to pfk1(idk, P1, P2, P3).

– If f ∈ dec, fst, snd, unblind, using Lemma 12, we have a contradic-tion with the fact that head(Nθk−1σ

k−1

NΣL) = pfk1.

– If f = pfk1, then N = pfk1(id3, N1, N2, N3), with some free N1, N2,N3. Since (N =E pfk1(id3, N1, N2, N3))θk−1σ

k−1

NΣL and φk−1σ

k−1

NΣL

≈s φk−1σk−1

NΣR, we have (N =E pfk1(id3, N1, N2, N3))θk−1σ

k−1

NΣR.

Thus, for Σ ∈ ΣL,ΣR, we have :

Nθk−1σk−1

NΣ =E pfk1(id3, N1, N2, N3)θk−1σ

k−1

NΣ.

Finally, Definition 5 gives us that Mθk−1σk−1

NΣL =E penc(N2θk−1σ

k−1

NΣL,

N1θk−1σk−1

NΣL, U) for some term U .

• If M is a variable, then M ∈ e1, e2. In that case, we would haveN1θk−1σ

k−1

NΣL =E r1 (or r2) with free N1 which would mean that r1

(or r2) is deducible which is in contradiction with Lemma 11.

• Thus, M = f(N1, . . . , Np) with f ∈ dec, fst, penc, renc, snd, unblind, since only equations (1) to (3) and (5) to (7) can lead to penc(P1, P2, P3).

– If f ∈ dec, fst, snd, unblind, using Lemma 12, we have a contradic-tion with the fact that head(Mθk−1σ

k−1

NΣL) = penc.

– If f = renc i.e. M = renc(M1,M2). The case where M1 is a vari-able is excluded thanks to the fact that ri is not deducible. ThenM1 = g(M ′1, . . . ,M

′p) with g ∈ dec, fst, penc, renc, unblind, since

head(M1θk−1 σk−1

NΣL) = penc.

∗ If g ∈ dec, fst, snd, unblind, using Lemma 12, we have a contra-diction with the fact that head(M1θk−1σ

k−1

NΣL) = penc.

∗ If g = renc and M1 = renc(M ′1,M′2), we have a contradiction

with the minimality of M since renc(M ′1,M′2 +M2) is a smaller

recipe than renc(renc(M ′1,M′2),M2).

∗ If g = andM1 = M ′1M ′2, we also have a contradiction with theminimality of M since renc(M ′1,M2) renc(M ′2,M2) is a smallerrecipe according to the Definition 13 of the measure L.

∗ If g = penc and M1 = penc(M ′1,M′2,M

′3). We have two cases :

Inria


· If M ′3 is a variable, then M ′3 ∈ g1, g2, g3 and we have M =renc(penc(M ′1,M

′2, gi),M2) with free M ′1, M ′2 and M2. In

that case, we have :Mθk−1σ

k−1

NΣL =E renc(penc(M ′1,M

′2, gi),M2)θk−1σ

k−1

NΣL (d)

=E penc(M ′1,M′2, pk(ai +M2))θk−1σ

k−1

NΣL

Thanks to the fact that φk−1σk−1

NΣL ≈s φk−1σ

k−1

NΣR and

(d), we also have that :

Mθk−1σk−1

NΣR =E renc(penc(M ′1,M

′2, gi),M2)θk−1σ

k−1

NΣR

=E penc(M ′1,M′2, pk(ai +M2))θk−1σ

k−1

NΣR

Then, we have, for Σ ∈ ΣL,ΣR :

Mθk−1σk−1

NΣ =E penc(M ′1,M

′2, pk(ai +M2))θk−1σ

k−1

NΣ.

Moreover, sinceMθk−1σk−1


k−1

NΣL, N1

θk−1σk−1

NΣL, U) we have thatM ′1θk−1σ

k−1

NΣL =E N2θk−1σ

k−1

N

ΣL and M ′2θk−1σk−1

NΣL =E N1θk−1σ

k−1

NΣL. Using the fact

that φk−1σk−1

NΣL ≈s φk−1σ

k−1

NΣR, these equalities hold with

ΣR. Finally, we have, for Σ ∈ ΣL,ΣR :

Mθk−1σk−1

NΣ =E penc(N2, N1, pk(ai +M2))θk−1σ

k−1

NΣ.

· If M ′3 = h(M ′′1 , . . . ,M′′q ) with h ∈ dec, fst, pk, snd, unblind,

we can conclude easily with a contradiction when h 6= pk ac-cording to Lemma 12. If h = pk then we have a contradictionwith the minimality of M since penc(M ′1,M ′2, pk(M ′′1 +M2))is smaller than renc(penc(M ′′1 ,M

′′2 , pk(M ′′3 )),M2).

– If f = penc i.e. M = penc(M1,M2,M3) with free M1, M2, M3, weimmediately conclude that, for Σ ∈ ΣL,ΣR :

Mθk−1σk−1

NΣ =E penc(M1,M2,M3)θk−1σ

k−1

NΣ.

Using the fact thatM1θk−1σk−1

NΣ =E N2θk−1σ

k−1

NΣ andM2θk−1σ

k−1

N

Σ =E N1θk−1σk−1

NΣ, we have, with free M3 and Σ ∈ ΣL,ΣR :

Mθk−1σk−1

NΣ =E penc(N2, N1,M3)θk−1σ

k−1

NΣ.

– If f = i.e. M = M1 M2. The case where M1 or M2 is avariable is excluded thanks to the fact that ri is not deducible.Then M1 = h1(M ′1, . . . ,M

′p) and M2 = h2(M ′′1 , . . . ,M

′′q ) with hi ∈

dec, fst, penc, renc, unblind, since head(Miθk−1σk−1

NΣL) = penc

for i = 1, 2.

∗ If ∃ i such that hi ∈ dec, fst, snd, unblind, we have a contradic-tion using Lemma 12.

RR n° 7781


∗ If h1, h2 = penc, we have M1 = penc(M ′1,M′2,K) and M2 =

penc(M ′′1 , M′′2 ,K

′) with K and K ′ such that Kθk−1σk−1

NΣL =E

K ′θk−1σk−1

NΣL which is in contradiction with the minimality of

M since penc(M ′1 M ′′1 ,M ′2 ∗ M ′′2 ,K) is a smaller recipe thanpenc(M ′1,M

′2,K) penc(M ′′1 , M ′′2 ,K ′).

∗ If h1 ∈ renc, and h2 ∈ penc, renc, . If h1 = renc and M1 =renc(M ′1,M

′2), we can apply the same discussion on h1 we did on

f when f = renc in a previous case. According to this, the onlypossible case is when M ′1 = penc(M ′′1 ,M

′′2 ,M

′′3 ). If g1 = and

M1 = M ′1 M ′2, we have an iteration of the current subcase. Butthese iterations must stop since M is not of an unlimited lengthand, thanks to the contradiction of minimality in some cases, theremaining global case is when M = ni=1renc(Pi, Qi) M ′ withM ′ a null term or penc(M ′1,M ′2,M ′3) and Pi = penc(M i

1,Mi2,M

i3)

with M i3 variable, using the discussion on renc case.

Suppose that M ′ = penc(M ′1,M′2,M

′3), then M ′3θk−1σ

k−1

NΣL is

deducible. In order for M to be reduced, we must have the samekeys in both M ′ and ni=1renc(Pi, Qi). But since M i

3 is a vari-able, M i

3 ∈ g1, g2, g3, the resulting key of re-encryption is notdeducible, according to Lemma 11. Indeed, the resulting key islike pk(α1a1 + α2a2 + α3a3 + U) with some integers αi and adeducible term U (we using the notation that ai + ai = 2ai) andsince there are no variable leading to such a key, we must haveM ′3 = pk(α1a1 + α2a2 + α3a3 + U) which is not possible. Then,we must have M ′ = ε.

Thus, we haveM = ni=1renc(Pi, Qi) with Pi = penc(M i1,M

i2,M

i3)

and M i3 variable. Suppose that ∃ 1 ≤ i, j ≤ n such that M i

3 6=M j

3 , let us take, for example, M i3 = g1 and M j

3 = g2. Then, weshould have a1 + qi = a2 + qj which implies that qj = a1 + zj etthen that a2 + U is deducible which is in contradiction with11. Moreover, in order to have a reduction, all Qi must beequal. Then we take, the minimal one, Q1 and, we have :M = ni=1renc(penc(M

i1,M

i2, x), Q1) with x ∈ g1, g2, g3 and

free M i1, M i

2, Q1.

Then, we have :Mθk−1σ

k−1

NΣL= ni=1renc(penc(M

i1,M

i2, x), Qi)θk−1σ

k−1

NΣL (dd)

=E penc(ni=1Mi1, ∗ni=1M

i2, pk(aj +Q1))θk−1σ

k−1

NΣL

Thanks to the fact that φk−1σk−1

NΣL ≈s φk−1σ

k−1

NΣR and (dd),

we also have that :Mθk−1σ

k−1

NΣR= ni=1renc(penc(M

i1,M

i2, x), Qi)θk−1σ

k−1

NΣR

=E penc(ni=1Mi1, ∗ni=1M

i2, pk(aj +Q1))θk−1σ

k−1

NΣR.

Then, we have, for Σ ∈ ΣL,ΣR :

Mθk−1σk−1

NΣ =E penc(M ′1,M

′2, pk(ai +M ′3))θk−1σ

k−1

NΣ.

Moreover, sinceMθk−1σk−1


k−1

NΣL, N1θk−1

Inria


σk−1

NΣL, U) we have that M ′1θk−1σ

k−1

NΣL =E N2θk−1σ

k−1

NΣL

and M ′2θk−1 σk−1

NΣL =E N1θk−1σ

k−1

NΣL. Using the fact that

φk−1σk−1

NΣL ≈s φk−1σ

k−1

NΣR, these equalities hold with ΣR.

Finally, we have, for Σ ∈ ΣL,ΣR :

Mθk−1σk−1

NΣ =E penc(N2, N1, pk(ai +M ′3))θk−1σ

k−1

NΣ.

Lemma 15. Let ϕ1 and ϕ2 be two frames such that ϕ1 ≈s ϕ2. Let a a namesuch that a ∈ bn(ϕ1) ∩ bn(ϕ2) and p(a) is not deducible. Let Ui = d(p(a), U ′′i )in normal form for i = 1, 2 such that Ui does not appear in ϕi. Then, we have,for x /∈ dom(ϕ1) ∪ dom(ϕ2) :

ϕ1 ∪ U1/x ≈s ϕ2 ∪ U2/x.

Proof. Let n1 be a fresh name and δ : U1 7→ n1 the function which replace anyoccurrence of U1 by n1. Let us prove that :

ϕ1 ∪ U1/x ≈s ν.n1(ϕ1 ∪ n1/x).

Let ϕ′1 = ϕ1 ∪ U1/x and ϕ′′1 = ν.n1(ϕ1 ∪ n1/x). Let M and N termssuch that (M = N)ϕ′′1 . Then, we have, with ϕ′′1 = νn.σ′′1 , (Mσ′′1 )[n1 7→ U1] =E

(Nσ′′1 )[n1 7→ U1] since the equationnal theory is stable by names substitutions.Now, since n1 /∈ fn(M) ∪ fn(N), we have M(σ′′1 [n1 7→ U1]) =E N(σ′′1 [n1 7→ U1])but σ′′1 [n1 7→ U1] = σ′1 with ϕ′1 = νm.σ′1. So we have (M = N)ϕ′1 too.

Now let M and N terms such that (M = N)ϕ′1. Then we have :

(Mσ′1)↓ =AC (Nσ′1)↓

Thus,

(Mσ′1)↓ δ =AC (Nσ′1)↓ δ

Claim 1: If U −→ V then Uδ −→ V δ.

Proof. (Claim 1) Let U be a term. Since U −→ V , there exists a rule l −→ r,a substitution θ and a position p such that U |p = lθ and V = U [rθ]p. Then∀ p′ such that U |p′ = U1, we have that p′ cannot be a suffix of p, since U1

is in normal form. Let U ′ = U [X]p, then Uδ = U ′δ[(lθ)δ]p. Since l does notcontain d, we have that U ′δ[lθδ]p = U ′δ[l(θδ)]. Using the rewriting rule, wehave U ′δ[l(θδ)] −→ U ′δ[r(θδ)]p. Finally, U ′δ[r(θδ)]p = (U ′[rθ]p)δ = V δ, that isUδ −→ V δ.

Let us prove that (Mσ′1) ↓ δ =E (Mσ′1δ) ↓. If Mσ′1 is in normal form,we have that (Mσ′1δ)↓=E (Mσ′1)↓ δ. If it is not, then, it exists W1, . . . ,Wn

such that W1 = Mσ′1, Wn = (Mσ′1)↓ and Wi −→ Wi+1 for i = 1..n − 1.Using Claim 1, we have that Wiδ −→ Wi+1δ for i = 1..n − 1 and then that((Mσ′1)δ)↓=AC (Mσ′1)↓ δ. Thus, using the same argument for Nσ′1, we have :

Mσ′1δ =E Nσ′1δ

RR n° 7781


Since a, which is a restricted name, M and N cannot contain a. Moreover,p(a) is not deducible, thus we cannot have the case where M = d(x, y) withxσ′1δ = p(a). Then, we have :

M(σ′1δ) =E N(σ′1δ)

Since U1 does not appear in ϕi, we have :

Mσ′′1 =E Nσ′′1

And we have (M = N)ϕ′′1 , which proves the static equivalence above. Then,using the same development on ϕ2 we have, for i = 1, 2 and two fresh namesn1, n2 :

ϕi ∪ Ui/x ≈s ν.ni(ϕi ∪ ni/x).

Since ϕ1 ≈s ϕ2, we have that ν.n1(ϕ1 ∪n1/x) ≈s ν.n2(ϕ2 ∪n2/x) and usingwhat we just proved, we get :

ϕ1 ∪ U1/x ≈s ϕ2 ∪ U2/x.

Lemma 16. Let ϕ1 and ϕ2 be two frames such that ϕ1 ≈s ϕ2. Let a a namesuch that a ∈ bn(ϕ1) ∩ bn(ϕ2) and is not deducible. Let Ui = sign(U ′i , a) innormal form for i = 1, 2 and Ui do not appear in ϕi. Then, we have, forx /∈ dom(ϕ1) ∪ dom(ϕ2) :

ϕ1 ∪ U1/x ≈s ϕ2 ∪ U2/x.

Proof. Let n1 be a fresh name and δ : U ′1 7→ n1 the function which replace anyoccurrence of U ′1 by n1. Let us prove that :

ϕ1 ∪ U1/x ≈s ν.n1(ϕ1 ∪ sign(n1,a)/x).

Let ϕ′1 = ϕ1∪U1/x and ϕ′′1 = ν.n1(ϕ1∪sign(n1,a)/x). LetM and N termssuch that (M = N)ϕ′′1 . Then, we have, with ϕ′′1 = νn.σ′′1 , (Mσ′′1 )[sign(n1, a) 7→U1] =E (Nσ′′1 )[sign(n1, a) 7→ U1] since the equationnal theory is stable by namessubstitutions. Now, since n1 /∈ fn(M) ∪ fn(N), we have M(σ′′1 [sign(n1, a) 7→U1]) =E N(σ′′1 [sign(n1, a) 7→ U1]) but σ′′1 [sign(n1, a) 7→ U1] = σ′1 with ϕ′1 =νm.σ′1. So we have (M = N)ϕ′1 too.


(Mσ′1)↓ =AC (Nσ′1)↓(Mσ′1)↓ δ =AC (Nσ′1)↓ δ


Proof. (Claim 2) Let U be a term. Since U −→ V , ∃ a rule l −→ r, a substitutionθ and a position p such that U |p = lθ and V = U [rθ]p. Then, ∀ p′ such thatU |p′ = U1, we have that p′ cannot be a suffix of p, since U1 is in normal form.Let U ′ = U [X]p, then Uδ = U ′δ[lθδ]p. Using the equational theory, the onlyinteresting case is when lθ −→ rθ is equation checksign(M, vk(id), sign(M, id)) =

Inria


Ok where M = U ′1 and id = a. Then, we can easily see that lθδ −→ rθδsince lθδ = checksign(n1, a, sign(n1, a)) and rθ = rθδ. In other cases, we havelθδ −→ rθδ since modification implies by δ do not interfere. Thus, we haveU ′δ[lθδ] −→ U ′δ[r(θδ)]p. Finally, U ′δ[rθδ]p = (U ′[rθ]p)δ = V δ, that is Uδ −→V δ.

Let us prove that (Mσ′1) ↓ δ =E (Mσ′1δ) ↓. If Mσ′1 is in normal form,we have that (Mσ′1δ)↓=E (Mσ′1)↓ δ. If it is not, then, it exists W1, . . . ,Wn

such that W1 = Mσ′1, Wn = (Mσ′1)↓ and Wi −→ Wi+1 for i = 1..n − 1.Using Claim 2, we have that Wiδ −→ Wi+1δ for i = 1..n − 1 and then that((Mσ′1)δ)↓=AC (Mσ′1)↓ δ. Thus, using the same argument for Nσ′1, we have :


Since a, which is a restricted name, M and N cannot contain a. Then, we have:

M(σ′1δ) =E N(σ′1δ)


Mσ′′1 =E Nσ′′1


ϕi ∪ Ui/x ≈s ν.ni(ϕi ∪ sign(ni,a)/x).Since ϕ1 ≈s ϕ2, we have that ν.n1(ϕ1∪sign(n1,a)/x) ≈s ν.n2(ϕ2∪sign(n2,a)/x)and using what we just proved, we get :

ϕ1 ∪ U1/x ≈s ϕ2 ∪ U2/x.

Lemma 17. Let φ and ψ be frames such that φ∪ t/x ≈s ψ ∪ t′/x for some

terms t and t′. Then :

φ ∪ t/x ∪ t/y ≈s ψ ∪ t′/x ∪ t

′/y.

Proof. Let φ ∪ t/x ∪ t/y = φ′′, ψ ∪ t′/x ∪ t′/y = ψ′′, φ ∪ t/x = φ′

and ψ ∪ t′/x = ψ′. Let M , N be terms such that (M = N)φ′′. If y /∈fv(M)∪ fv(N) then since φ′ ≈s ψ′, the fact that (M = N)ψ′′ is straightforward.If y ∈ fv(M)∪ fv(N), let δ : y 7→ x, we have : (Pδ)φ′ = Pφ′′ and (Pδ)ψ′ = Pψ′′

for all term P . Thus :

Mφ′′ =E Nφ′′

(Mδ)φ′ =E (Nδ)φ′

Since φ′ ≈s ψ′ and ((Mδ) = (Nδ))φ′, we have :

(Mδ)ψ′ =E (Nδ)ψ′

Mψ′′ =E Nψ′′

RR n° 7781


Lemma 18. Let ϕ1 and ϕ2 be two frames such that ϕ1 ≈s ϕ2. Let a a namesuch that a ∈ bn(ϕ1) ∩ bn(ϕ2) and is not deducible. Let Ui = dec(U ′i , a) innormal form for i = 1, 2 and Ui do not appear in ϕi. Then, we have, forx /∈ dom(ϕ1) ∪ dom(ϕ2) :

ϕ1 ∪ U1/x ≈s ϕ2 ∪ U2/x.

Proof. Let n1 be a fresh name and δ : U1 7→ n1 the function which replace anyoccurrence of U1 by n1. Let us prove that :

ϕ1 ∪ U1/x ≈s ν.n1(ϕ1 ∪ n1/x).

Let ϕ′1 = ϕ1 ∪ U1/x and ϕ′′1 = ν.n1(ϕ1 ∪ n1/x). Let M and N termssuch that (M = N)ϕ′′1 . Then, we have, with ϕ′′1 = νn.σ′′1 , (Mσ′′1 )[n1 7→ U1] =E

(Nσ′′1 )[n1 7→ U1] since the equationnal theory is stable by names substitutions.Now, since n1 /∈ fn(M) ∪ fn(N), we have M(σ′′1 [n1 7→ U1]) =E N(σ′′1 [n1 7→ U1])but σ′′1 [n1 7→ U1] = σ′1 with ϕ′1 = νm.σ′1. So we have (M = N)ϕ′1 too.


(Mσ′1)↓ =AC (Nσ′1)↓

Thus,

(Mσ′1)↓ δ =AC (Nσ′1)↓ δ


Proof. (Claim 3) Let U be a term. Since U −→ V , there exists a rule l −→ r,a substitution θ and a position p such that U |p = lθ and V = U [rθ]p. Then∀ p′ such that U |p′ = U1, we have that p′ cannot be a suffix of p, since U1

is in normal form. Let U ′ = U [X]p, then Uδ = U ′δ[(lθ)δ]p. Since l does notcontain dec, we have that U ′δ[lθδ]p = U ′δ[l(θδ)]. Using the rewriting rule, wehave U ′δ[l(θδ)] −→ U ′δ[r(θδ)]p. Finally, U ′δ[r(θδ)]p = (U ′[rθ]p)δ = V δ, that isUδ −→ V δ.

Let us prove that (Mσ′1)↓ δ =E (Mσ′1δ)↓. IfMσ′1 is in normal form, we havethat (Mσ′1δ)↓=E (Mσ′1)↓ δ. If it is not, then, it exists U1, . . . , Un such thatU1 = Mσ′1, Un = (Mσ′1)↓ and Ui −→ Ui+1 for i = 1..n− 1. Using Claim 1, wehave that Uiδ −→ Ui+1δ for i = 1..n−1 and then that ((Mσ′1)δ)↓=AC (Mσ′1)↓ δ.Thus, using the same argument for Nσ′1, we have :


Since a, which is a restricted name, M and N cannot contain a. Then, we have:

M(σ′1δ) =E N(σ′1δ)


Mσ′′1 =E Nσ′′1

Inria



ϕi ∪ Ui/x ≈s ν.ni(ϕi ∪ ni/x).

Since ϕ1 ≈s ϕ2, we have that ν.n1(ϕ1 ∪n1/x) ≈s ν.n2(ϕ2 ∪n2/x) and usingwhat we just proved, we get :

ϕ1 ∪ U1/x ≈s ϕ2 ∪ U2/x.

Lemma 19. Let Niθi−1σi−1

NΣ be idi-valid ballots for Σ ∈ ΣL,ΣR and i =

3..n. Let φresi−1 = νn.θresi−1. We have :

φresi−1σNΣL ≈s φresi−1σNΣR =⇒ φresi σNΣL ≈s φresi σNΣR.

Proof. As a first remark : for i = 3..n, since Niθi−1σi−1

NΣ is a idi-valid ballot,

then we know that, using Lemma 14 :

• NiθnσNΣ =E (Wi, Xi, Zi)θnσNΣ with freeWi, Wi, Zi and Σ ∈ ΣL,ΣR.

• WiθnσNΣ =E penc(W ′i ,W′′i , Ui)θnσNΣ with Σ ∈ ΣL,ΣR, free W ′i , W ′′i

and free Ui or Ui = pk(ai + U ′i) with free U ′i and ai ∈ a1, a2, a3.

Then, we have two cases :

• UiθnσNΣ =E pk(a1). Then, we have :

result iθresi σNΣ =E dec(penc(W ′iθ

resi−1σNΣ,W ′′i θ

resi−1σNΣ, pk(a1)), a1)

=E W ′iθresi−1σNΣ.

Then, we have result iθresi σNΣ =E Wθresi−1σNΣ where W is free. Let

θ′ = θresi−1σN and θ = θ′ ∪ Mθ′/resulti = θresi σN . Using Lemma 9, sinceφresi−1σNΣL ≈s φresi−1σNΣR, we conclude.

• UθnσNΣ 6=E pk(a1). Then, result iθresi σNΣ =E dec(penc(W ′i ,W′′i , Ui)θ

resi−1

σi−1

NΣ, a1). Then, we have two cases. The first one when ∃ j such that

resultjθresi σNΣ =E result iθ

resi σN . In that case, we use Lemma 17 to

conclude. The second one when the first case do not happen is solvedusing directly Lemma 18 since a1 is restricted and not deducible.

Lemma 20. Let NiθiσNΣ be idi-valid ballots for Σ ∈ ΣL,ΣR and i = 3..n.

result1σNΣL =E v1 =E result1σNΣRresult2σNΣL =E v2 =E result2σNΣR.

Proof. Obvious.

RR n° 7781


Now let us return to Proposition 8 and start to prove it.

Proposition 8. Let NiθiΣ be idi-valid ballots for Σ ∈ ΣL,ΣR and i ∈3, . . . , n, we have :

νn.(θ|R)σNΣL ≈s νn.(θ|R)σNΣR.

Proof. The proposition will be proved using two consecutive induction.

First, let us show that : for any i ≥ 2, let φi = νn.θi then φiσiN

ΣL ≈sφiσ

iN

ΣR.Base Case : Using Lemma 10, we show that φ2σ

2N

ΣL ≈s φ2σ2N

ΣR.

Induction step : Assume now that φiσiNΣL ≈s φiσiNΣR and let us showthat φi+1σ

i+1

NΣL ≈s φi+1σ

i+1

NΣR.

Using Lemma 15 with U1 = (yiθiσiN

ΣL)↓= d(p(idi), U′1) and U2 = (yiθiσ

iN

ΣR)↓= d(p(idi), U

′2), we prove that θi ∪ U1/yiσi+1

NΣL ≈s θi ∪ U2/yiσi+1

NΣR.

Then, using this new equivalence and Lemma 16 with U1 = (ziθiσi+1

NΣL)↓=

sign(U ′1, idR) and U2 = (ziθiσi+1

NΣL)↓= sign(U ′2, idR), we have now that φi+1σ

i+1

N

ΣL ≈s φi+1σi+1

NΣR.

Thus, we deduct :φnσNΣL ≈s φnσNΣR

and we can note φn = φres2 .

Now let us show that : for any i ≥ 2, φresi = νn.θresi then φresi σNΣL ≈sφresi σNΣR.

Base Case : Using the fact that φn = φres2 , the base case is proved by thefirst induction.

Induction step : Assume now that φresi σNΣL ≈s φresi σNΣR and let usshow that φresi+1σNΣL ≈s φresi+1σNΣR.

Using Lemma 19, we can prove the induction step adding each result one byone and, finally, we have :

φσNΣL ≈s φσNΣR with φ = νn.θ.

Now using Lemmas 9 and 20, we prove the final static equivalence :

φ1 = νn.(θ|R)σNΣL ≈s φ2 = νn.(θ|R)σNΣR.

From Proposition 8, we can enunciate a corollary.

Corollary 21. For i = 0 . . . n, j = 3 . . . n, and NkθkΣ be idk-valid ballots forΣ ∈ ΣL,ΣR and k = 3 . . . n, we have :

νn.θiσiN

ΣL ≈s νn.θiσiNΣR

νn.θ′jσNΣL ≈s νn.θ′jσNΣR

Inria


B Proof of Theorem 4Let us remind the Theorem we need to prove.

Theorem 4. Let n be the number of voters. The Norwegian e-voting protocolprocess specification satisfies ballot secrecy without the auditing process, evenwith n− 2 voters are corrupted, provided that the other components are honest.

A′n[V c1/cauth ,cRV1 /cRV σ | V c2/cauth ,cRV2 /cRV τ ]

≈l A′n [V c1/cauth ,cRV1 /cRV τ |V c2/cauth ,cRV2 /cRV σ]

where σ = v1/xvote and τ = v2/xvote.Let us introduce the relation we will use to prove labeled bisimilarity.

B.1 Partial evolutions of protocol specificationFirst, we will introduce partial evolutions of the protocol process specificationand remind some notations used. Note that correct modeling of sub-processeshave not been depicted but one can see that describing partial evolutions ofsub-processes can be seen as a modeling description. Then, as an example, Bn,the ballot box correspond to B1

1,n in that case, without auditor. It avoids aannoying and non-useful applied-pi description, since it is easy to remove alllines dealing with an auditor’s stuff, as the full description was depicted in thearticle.

Definition 22. Notations and partial evolutions for honest voters. (i ∈ 1, 2)

V 1i = cout〈balli〉.V 2

i ei = penc(xivote, ti, pk(a1))V 2i = ci〈balli〉.V 3

i pfk i = pfk1(idi, ti, xivote, ei)

V 3i = cRVi(reci).V

4i sigi = sign((ei, pfk i), idi)

V 4i = ci(coni).V

5i balli = (ei, pfk i, sigi)

V 5i = cout〈coni〉.V 6

i hvi = hash((vk(idi), ei, pfk i, sigi))V 6i = cout〈reci〉.V 7

i

V 7i = if φv(idpR, idi, hvi, coni, xvotei , reci) then V 8

i else 0V 8i = ci〈Ok〉

Definition 23. Notations and partial evolutions for the ballot box. (i ∈ 1, . . . , n)

B1i,n = ci(xi).B

1.1i,n e′i = renc(Π1(xi), s(idi))

B1.1i,n = if φb(idpi, xi) then B1.2

i,n else 0 pfk ′i = pfk2(idi, a2,Π1(xi), e′i)

B1.2i,n = cBR〈ball′i〉.B2

i,n e′′i = blind(e′i, s(idi))B2i,n = cBR(qi).B

3i,n pfk ′′i = pfk2(idi, s(idi), e

′i, e′′i )

B3i,n = if φs(idpR, hbbi, qi) then B3.1

i,n else 0 ball′i = (xi, e′i, pfk

′i, e′′i , pfk

′′i )

B3.1i,n = ci〈qi〉.B3.2

i,n hbbi = hash((vk(idi), xi))B3.2i,n = ci(syi).B

1i+1,n

B3.2n,n = cn(syn).B4

1,n

B4i,n = cBD〈Π1(xi)〉.B4

i+1,n

B4n,n = cBD〈Π1(xn)〉

Definition 24. Notations et and partial evolutions for the receipt generator.(i ∈ 1, . . . , n)

RR n° 7781


A3

[V 3

1 |V 12 |B2

1,n|R21,n|D1

1,n

]σ ∼R A3

[V 3

1 |V 12 |B2

1,n|R21,n|D

1

1,n

]τ (5)

A3

[V 3

1 |V 12 |B2

1,n|R31,n|D1

1,n

]σ ∼R A3

[V 3

1 |V 12 |B2

1,n|R31,n|D

1

1,n

]τ (6)

A4

[V 4

1 |V 12 |B2

1,n|R41,n|D1

1,n

]σ ∼R A4

[V 4

1 |V 12 |B2

1,n|R41,n|D

1

1,n

]τ (7)

A5

[V 4

1 |V 12 |B3

1,n|R12,n|D1

1,n

]σ ∼R A5

[V 4

1 |V 12 |B3

1,n|R12,n|D

1

1,n

]τ (8)

A5

[V 4

1 |V 12 |B3.1

1,n|R12,n|D1

1,n

]σ ∼R A5

[V 4

1 |V 12 |B3.1

1,n|R12,n|D

1

1,n

]τ (9)

A6

[V 5

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]σ ∼R A6

[V 5

1 |V 12 |B3.2

1,n|R12,n|D

1

1,n

]τ (10)

A7

[V 6

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]σ ∼R A7

[V 6

1 |V 12 |B3.2

1,n|R12,n|D

1

1,n

]τ (11)

A8

[V 7

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]σ ∼R A8

[V 7

1 |V 12 |B3.2

1,n|R12,n|D

1

1,n

]τ (12)

A8

[V 8

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]σ ∼R A8

[V 8

1 |V 12 |B3.2

1,n|R12,n|D

1

1,n

]τ (13)

A8

[V 1

2 |B12,n|R1

2,n|D11,n

]σ ∼R A8

[V 1

2 |B12,n|R1

2,n|D1

1,n

]τ (14)

A9

[V 2

2 |B12,n|R1

2,n|D11,n

]ΣL ∼R A9

[V 2

2 |B12,n|R1

2,n|D1

1,n

]ΣR (15)

A10

[V 3

2 |B1.12,n|R1

2,n|D11,n

]ΣL ∼R A10

[V 3

2 |B1.12,n|R1

2,n|D1

1,n

]ΣR (16)

A10

[V 3

2 |B1.22,n|R1

2,n|D11,n

]ΣL ∼R A10

[V 3

2 |B1.22,n|R1

2,n|D1

1,n

]ΣR (17)

A11

[V 3

2 |B22,n|R2

2,n|D11,n

]ΣL ∼R A11

[V 3

2 |B22,n|R2

2,n|D1

1,n

]ΣR (18)

A11

[V 3

2 |B22,n|R3

2,n|D11,n

]ΣL ∼R A11

[V 3

2 |B22,n|R3

2,n|D1

1,n

]ΣR (19)

A12

[V 4

2 |B22,n|R4

2,n|D11,n

]ΣL ∼R A12

[V 4

2 |B22,n|R4

2,n|D1

1,n

]ΣR (20)

A13

[V 4

2 |B32,n|R1

3,n|D11,n

]ΣL ∼R A13

[V 4

2 |B32,n|R1

3,n|D1

1,n

]ΣR (21)

A13

[V 4

2 |B3.12,n|R1

3,n|D11,n

]ΣL ∼R A13

[V 4

2 |B3.12,n|R1

3,n|D1

1,n

]ΣR (22)

A14

[V 5

2 |B3.22,n|R1

3,n|D11,n

]ΣL ∼R A14

[V 5

2 |B3.22,n|R1

3,n|D1

1,n

]ΣR (23)

A15

[V 6

2 |B3.22,n|R1

3,n|D11,n

]ΣL ∼R A15

[V 6

2 |B3.22,n|R1

3,n|D1

1,n

]ΣR (24)

A13

[V 7

2 |B3.22,n|R1

3,n|D11,n

]ΣL ∼R A1

3

[V 7

2 |B3.22,n|R1

3,n|D1

1,n

]ΣR (25)

A13

[V 8

2 |B3.22,n|R1

3,n|D11,n

]ΣL ∼R A1

3

[V 8

2 |B3.22,n|R1

3,n|D1

1,n

]ΣR (26)

(i ∈ 3, . . . , n, R1n+1,n = 0)

A1i

[B1i,n|R1

i,n|D11,n

]ΣL ∼R A1

i

[B1i,n|R1

i,n|D1

1,n

]ΣR (27)

A1i

[B1.1i,nMi/xi|R1

i,n|D11,n

]ΣL ∼R A1

i

[B1.1i,nMi/xi|R1

i,n|D1

1,n

]ΣR (28)

A2i

[B1.2i,n |R1

i,n|D11,n

]ΣL ∼R A2

i

[B1.2i,n |R1

i,n|D1

1,n

]ΣR (29)

A3i

[B2i,n|R2

i,n|D11,n

]ΣL ∼R A3

i

[B2i,n|R2

i,n|D1

1,n

]ΣR (30)

Inria


A3i

[B2i,n|R3

i,n|D11,n

]ΣL ∼R A3

i

[B2i,n|R3

i,n|D1

1,n

]ΣR (31)

A4i

[B2i,n|R4

i,n|D11,n

]ΣL ∼R A4

i

[B2i,n|R4

i,n|D1

1,n

]ΣR (32)

A5i

[B3i,n|R1

i+1,n|D11,n

]ΣL ∼R A5

i

[B3i,n|R1

i+1,n|D1

1,n

]ΣR (33)

A5i

[B3.1i,n |R1

i+1,n|D11,n

]ΣL ∼R A5

i

[B3.1i,n |R1

i+1,n|D1

1,n

]ΣR (34)

A6i

[B3.2i,n |R1

i+1,n|D11,n

]ΣL ∼R A6

i

[B3.2i,n |R1

i+1,n|D1

1,n

]ΣR (35)

(i ∈ 1, . . . , n, j ∈ 3, . . . , n)

A′i[B4i,n|D1

i,n

]ΣL ∼R A′i

[B4i,n|D

1

i,n

]ΣR (36)

A′n+1

[D2

1,n

]ΣL ∼R A′n+1

[D

2

1,n

]ΣR (37)

A′′1[D2

2,n

]ΣL ∼R A

′′1

[D

2

2,n

]ΣR (38)

A′′j−1

[D2j,n

]ΣL ∼R A

′′j−1

[D

2

j,n

]ΣR (39)

A′′n [0] ΣL ∼R A′′n [0] ΣR (40)

(i ∈ 3, . . . , n)

A1i

[Mi/xi|R1

i,n|D11,n

]ΣL ∼R A1

i

[Mi/xi|R1

i,n|D1

1,n

]ΣR (41)

B.3 Useful lemmasLet us introduce useful lemmas which will be used to prove that the constructedrelation satisfies the property of Definition 2.

Definition 5. Let id ∈ id1, . . . , idn. A term N is said to be a id - valid ballotif φb(id,N) = true, equivalently : N = (N1, N2, N3)

checksign((N1, N2), vk(id), N3) =E Okcheckpfk1(vk(id), N1, N2) =E Ok

.

Lemma 28. Let N be a id-valid ballot, thus N = (N1, N2, N3). Let

Nrenc = renc(N1, a2), Nblind = blind(Nrenc, s(id)),Nhash = hash((vk(id), N1, N2, N3)), N ′ = (N,Nrenc, N

1pfk , Nblind, N

2pfk ).

N1pfk = pfk2(idp, a2, N1, Nrenc), N2

pfk = pfk2(idp, s(id), Nrenc, Nblind),Rsign = sign(Nhash, idR)

Then we have φb(idp,N) =E φr(idp,N′) =E φs(idpR, Nhash, Rsign) =E true

with idp = vk(id).

Proof. Let N be a id-valid ballot. By definition, we have that φb(id,N) = true.According to the definition of N ′, we have that N ′ = (N ′1, N

′2, N

′3, N

′4, N

′5) with

N ′1 = N = (N1, N2, N3). Moreover, we know that checkpfk1(idp,N1, N2) =E

checksign((N1, N2), idp,N3) =E Ok since φb(idp,N) = true. In addition, wehave :

RR n° 7781


checkpfk2(idp,N ′2, N′3) =E checkpfk2(vk(id), Nrenc, N

1pfk )

=E checkpfk2(vk(id), renc(N1, a2), pfk2(idp, a2, N1, renc(N1, a2)))=E Ok

and

checkpfk2(idp,N ′4, N′5) =E checkpfk2(vk(id), Nblind, N

2pfk )

=E checkpfk2(vk(id), Nblind, pfk2(vk(id), s(id), Nrenc, Nblind))where Nblind = blind(Nrenc, s(id))=E Ok.

Then, we have φr(idp,N ′) = true. Finally, we have :

checksign(Nhash, idpR, Rsign) =E checksign(Nhash, idpR, sign(Nhash, idR))

=E Ok

which prove that φs(idpR, Nhash, Rsign) = true.

Lemma 29. Let N be a term such that, for some Nrand :

N = (N1, N2, N3)

N1 = penc(v,Nrand, pk(a1))

N2 = pfk1(id,Nrand, v,N1)

N3 = sign((N1, N2), id).

Let Rrec = dec(Nblind, a3), with Nblind, Rsign and Nhash the same as in Lemma28. Then, N is a id-valid ballot and we have :

φv(idpR, id,Nhash, Rsign, v,Nrec) = true.

Proof. Let N be this term. Then, N clearly satisfies Definition 5, and :

unblind(dec(Nblind, a3), s(id)) =E unblind(dec(blind(Nrenc, s(id)), a3), s(id))= unblind(dec(blind(renc(N1, a2), s(id)), a3), s(id))= unblind(dec(blind(renc(penc(v,Nrand, pk(a1)), a2), s(id)), a3), s(id))(6)=E unblind(dec(blind(penc(v,Nrand, pk(a1 + a2)), s(id)), a3), s(id))= unblind(dec(blind(penc(v,Nrand, pk(a3)), s(id)), a3), s(id))(4)=E unblind(blind(v, s(id)), s(id)(7)=E v.

Moreover :

checksign(Nhash, idpR, Rsign) =E checksign(Nhash, idpR, sign(Nhash, idR))

=E Ok

which prove that φv(idpR, id,Nhash, Rsign, v,Nrec) = true.

Inria


B.4 Proof for the relationLet us prove that R satisfies the three properties of Definition 2.

Internal Reductions : We must show for all extended processes A andB, where A R B, that if A −→ A′ for some A′, then B −→ B′ and A′ R B′

for some B′. We observe that if A R B by (1), (10), (11), (14), (23), (24), (27),(31), (34), (35) or (37) to (40) then there is no extended process A′ such thatA −→ A′. We proceed by case analysis on the remaining cases.

(2) We have

A ≡ A1

[V 2

1 |V 12 |B1

1,n|R11,n|D1

1,n

]σ and B ≡ A1

[V 2

1 |V 12 |B1

1,n|R11,n|D

1

1,n

]τ.

If A −→ A′, then it must be the case that

A ≡ A1

[c1〈ball1〉.V 3

1 |V 12 |c1(x1).B1.1

1,n|R11,n|D1

1,n

]σ

andA′ ≡ A2

[V 3

1 |V 12 |B1.1

1,n|R11,n|D1

1,n

]σ.

It follows from

B ≡ A1

[c1〈ball1〉.V 3

1 |V 12 |c1(x1).B1.1

1,n|R11,n|D

1

1,n

]τ

that B −→ B′ where

B′

= A2

[V 3

1 |V 12 |B1.1

1,n|R11,n|D

1

1,n

]τ.

SinceA′ = A2

[V 3

1 |V 12 |B1.1

1,n|R11,n|D1

1,n

]σ R B′,

we derive A′ R B′ by the closure of R under structural equivalence.

(3) We have

A ≡ A2

[V 3

1 |V 12 |B1.1

1,n|R11,n|D1

1,n

]σ and B ≡ A2

[V 3

1 |V 12 |B1.1

1,n|R11,n|D

1

1,n

]τ.


A ≡ A2

[V 3

1 |V 12 |if φb(idp1, x1) then B1.2

1,n else 0|R11,n|D1

1,n

]σ.

Since x1 refers to ball1, it follows from Lemma 29 applied to ball1σ that itis a id1-valid ballot and from Lemma 28 that φb(idp1, x1)ball1/x1

σ = trueand

A′ ≡ A2

[V 3

1 |V 12 |B1.2

1,n|R11,n|D1

1,n

]σ.

It follows from

B ≡ A2

[V 3

1 |V 12 |if φb(idp1, x1) then B1.2

1,n else 0|R11,n|D

1

1,n

]τ

and from Lemma 29 and Lemma 28 applied to ball1τ , since φb(idp1, x1)ball1/x1τ = true, that B −→ B′ where

B′

= A2

[V 3

1 |V 12 |B1.2

1,n|R11,n|D

1

1,n

]τ.

RR n° 7781


SinceA′ ≡ A2

[V 3

1 |V 12 |B1.2

1,n|R11,n|D1

1,n

]σ R B′,


(4) We have

A ≡ A2

[V 3

1 |V 12 |B1.2

1,n|R11,n|D1

1,n

]σ and B ≡ A2

[V 3

1 |V 12 |B1.2

1,n|R11,n|D

1

1,n

]τ.


A ≡ A2

[V 3

1 |V 12 |cBR〈ball′1〉.B2

1,n|cBR(p1).R21,n|D1

1,n

]σ

andA′ ≡ A3

[V 3

1 |V 12 |B2

1,n|R21,n|D1

1,n

]σ.

It follows from

B ≡ A2

[V 3

1 |V 12 |cBR〈ball′1〉.B2

1,n|cBR(p1).R21,n|D

1

1,n

]τ


B′

= A3

[V 3

1 |V 12 |B2

1,n|R21,n|D

1

1,n

]τ.

SinceA′ = A3

[V 3

1 |V 12 |B2

1,n|R21,n|D1

1,n

]σ R B′,


(5) We have

A ≡ A3

[V 3

1 |V 12 |B2

1,n|R21,n|D1

1,n

]σ and B ≡ A3

[V 3

1 |V 12 |B2

1,n|R21,n|D

1

1,n

]τ.


A ≡ A3

[V 3

1 |V 12 |B2

1,n|if φr(idp1, p1) then R31,n else 0|D1

1,n

]σ

and it follows from Lemma 28, since ball1σ is verifying Lemma 29, thatφr(idp1, p1)ball1/x1

, ball′1/p1σ = true, thus

A′ ≡ A3

[V 3

1 |V 12 |B2

1,n|R31,n|D1

1,n

]σ.

It follows from

B ≡ A3

[V 3

1 |V 12 |B2

1,n|if φr(idp1, p1) then R31,n else 0|D1

1,n

]τ

and Lemma 28 and Lemma 29 applied to ball1τ that φr(idp1, p1)ball1/x1 ,ball′1/p1τ = true thus B −→ B′ where

B′

= A3

[V 3

1 |V 12 |B2

1,n|R31,n|D

1

1,n

]τ.

SinceA′ = A3

[V 3

1 |V 12 |B2

1,n|R31,n|D1

1,n

]σ R B′,


Inria


(6) We have

A ≡ A3

[V 3

1 |V 12 |B2

1,n|R31,n|D1

1,n

]σ and B ≡ A3

[V 3

1 |V 12 |B2

1,n|R31,n|D

1

1,n

]τ.


A ≡ A3

[cRV1

(rec1).V 41 |V 1

2 |B21,n|cRV1

〈r1〉.R41,n|D1

1,n

]σ

andA′ ≡ A4

[V 4

1 |V 12 |B2

1,n|R41,n|D1

1,n

]σ.

It follows from

B ≡ A3

[cRV1

(rec1).V 41 |V 1

2 |B21,n|cRV1〈r1〉.R4

1,n|D1

1,n

]τ


B′

= A4

[V 4

1 |V 12 |B2

1,n|R41,n|D

1

1,n

]τ

. SinceA′ = A4

[V 4

1 |V 12 |B2

1,n|R41,n|D1

1,n

]σ R B′

, we derive A′ R B′ by the closure of R under structural equivalence.

(7) We have

A ≡ A4

[V 4

1 |V 12 |B2

1,n|R41,n|D1

1,n

]σ and B ≡ A4

[V 4

1 |V 12 |B2

1,n|R41,n|D

1

1,n

]τ.


A ≡ A4

[V 4

1 |V 12 |cBR(q1).B3

1,n|cBR〈sigR1 〉.R12,n|D1

1,n

]σ

andA′ ≡ A5

[V 4

1 |V 12 |B3

1,n|R12,n|D1

1,n

]σ.

It follows from

B ≡ A4

[V 4

1 |V 12 |cBR(q1).B3

1,n|cBR〈sigR1 〉.R12,n|D

1

1,n

]τ


B′

= A5

[V 4

1 |V 12 |B3

1,n|R12,n|D

1

1,n

]τ.

SinceA′ = A5

[V 4

1 |V 12 |B3

1,n|R12,n|D1

1,n

]σ R B′,


(8) We have

A ≡ A5

[V 4

1 |V 12 |B3

1,n|R12,n|D1

1,n

]σ and B ≡ A5

[V 4

1 |V 12 |B3

1,n|R12,n|D

1

1,n

]τ.

RR n° 7781



A ≡ A5

[V 4

1 |V 12 |if φs(idpR, q1) then B3.1

1,n else 0|R12,n|D1

1,n

]σ

and it follows from Lemma 28 and Lemma 29 applied to ball1σ thatφs(idpR, q1) ball1/x1

,ball′1 /p1 ,

sigR1 /q1σ = true and

A′ ≡ A5

[V 4

1 |V 12 |B3.1

1,n|R12,n|D1

1,n

]σ.

It follows from

B ≡ A5

[V 4

1 |V 12 |if φs(idpR, q1) then B3.1

1,n else 0|R12,n|D

1

1,n

]τ

and from Lemma 28 and Lemma 29 applied to ball1τ that φs(idpR, q1)ball1/x1,

ball′1/p1 ,sigR1 /q1τ = true and B −→ B′ where

B′

= A5

[V 4

1 |V 12 |B3.1

1,n|R12,n|D

1

1,n

]τ.

SinceA′ = A5

[V 4

1 |V 12 |B3.1

1,n|R12,n|D1

1,n

]σ R B′,


(9) We have

A ≡ A5

[V 4

1 |V 12 |B3.1

1,n|R12,n|D1

1,n

]σ and B ≡ A5

[V 4

1 |V 12 |B3.1

1,n|R12,n|D

1

1,n

]τ.


A ≡ A5

[c1(con1).V 5

1 |V 12 |c1〈q1〉.B3.2

1,n|R12,n|D1

1,n

]σ

andA′ ≡ A6

[V 5

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]σ.

It follows from

B ≡ A5

[c1(con1).V 5

1 |V 12 |c1〈q1〉.B3.2

1,n|R12,n|D

1

1,n

]τ


B′

= A6

[V 5

1 |V 12 |B3.2

1,n|R12,n|D

1

1,n

]τ.

SinceA′ = A6

[V 5

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]σ R B′,


(12) We have

A ≡ A8

[V 7

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]σ and B ≡ A8

[V 7

1 |V 12 |B3.2

1,n|R12,n|D

1

1,n

]τ.

Inria



A ≡ A8

[if φv(idpR, id1, hv1, con1, x

vote1 , rec1) then V 8

1 else 0|V 12 |B3.2

1,n|R12,n|D1

1,n

]σ

and it follows from Lemma 29 applied to ball1σ that φv(idpR, id1, hv1, con1,

xvote1 , rec1)ball1/x1,ball

′1 /p1 ,

sigR1 /q1 ,r1 /rec1 ,

q1 /con1σ = true and

A′ ≡ A8

[V 8

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]σ.

It follows from

B ≡ A8



1 else 0|V 12 |B3.2

1,n|R12,n|D

1

1,n

]τ

and the Lemma 29 applied to ball1τ that φv(idpR, id1, hv1, con1, xvote1 , rec1)

ball1/x1,ball

′1 /p1 ,


q1 /con1τ = true and B −→ B′ where

B′

= A8

[V 8

1 |V 12 |B3.2

1,n|R12,n|D

1

1,n

]τ.

SinceA′ = A8

[V 8

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]σ R B′,


(13) We have

A ≡ A8

[V 8

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]σ and B ≡ A8

[V 8

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]τ.


A ≡ A8

[c1〈Ok〉|V 1

2 |c1(sy1).B12,n|R1

2,n|D11,n

]σ

andA′ ≡ A8

[V 1

2 |B12,n|R1

2,n|D11,n

]σ.

It follows from

B ≡ A8

[c1〈Ok〉|V 1

2 |c1(sy1).B12,n|R1

2,n|D1

1,n

]τ


B′

= A8

[V 1

2 |B12,n|R1

2,n|D1

1,n

]τ.

SinceA′ = A8

[V 1

2 |B12,n|R1

2,n|D11,n

]σ R B′,


(15) We have

A ≡ A9

[V 2

2 |B12,n|R1

2,n|D11,n

]ΣL and B ≡ A9

[V 2

2 |B12,n|R1

2,n|D1

1,n

]ΣR.

RR n° 7781



A ≡ A9

[c2〈ball2〉.V 3

2 |c2(x2).B1.12,n|R1

2,n|D11,n

]ΣL

andA′ ≡ A10

[V 3

2 |B1.12,n|R1

2,n|D11,n

]ΣL.

It follows from

B ≡ A9

[c2〈ball2〉.V 3

2 |c2(x2).B1.12,n|R1

2,n|D1

1,n

]ΣR


B′

= A10

[V 3

2 |B1.12,n|R1

2,n|D1

1,n

]ΣR.

SinceA′ = A10

[V 3

2 |B1.12,n|R1

2,n|D11,n

]ΣL R B′

, we derive A′ R B′ by the closure of R under structural equivalence.

(16) We have

A ≡ A10

[V 3

2 |B1.12,n|R1

2,n|D11,n

]ΣL and B ≡ A10

[V 3

2 |B1.12,n|R1

2,n|D1

1,n

]ΣR.


A ≡ A10

[V 3

2 |if φb(idp2, x2) then B1.22,n else 0|R1

2,n|D11,n

]ΣL.

Since x2 refers to ball2, it follows from Lemma 29 applied to ball2ΣL thatit is a id2-valid ballot and from Lemma 28 that φb(idp2, x2)ball2/x2

ΣL =true and

A′ ≡ A10

[V 3

2 |B1.22,n|R1

2,n|D11,n

]ΣL.

It follows from

B ≡ A10

[V 3

2 |if φb(idp2, x2) then B1.22,n else 0|R1

2,n|D1

1,n

]ΣR

and from Lemma 29 and Lemma 28 applied to ball2ΣR, since φb(idp2, x2)ball2/x2ΣR = true, that B −→ B′ where

B′

= A10

[V 3

2 |B1.22,n|R1

1,n|D1

1,n

]ΣR.

SinceA′ ≡ A10

[V 3

2 |B1.22,n|R1

2,n|D11,n

]ΣL R B′,


(17) We have

A ≡ A10

[V 3

2 |B1.22,n|R1

2,n|D11,n

]ΣL and B ≡ A10

[V 3

2 |B1.22,n|R1

1,n|D1

1,n

]ΣR.

Inria



A ≡ A10

[V 3

2 |cBR〈ball′2〉.B22,n|cBR(p2).R2

2,n|D11,n

]ΣL

andA′ ≡ A11

[V 3

2 |B22,n|R2

2,n|D11,n

]ΣL.

It follows from

B ≡ A10

[V 3

2 |cBR〈ball′2〉.B22,n|cBR(p2).R2

2,n|D1

1,n

]ΣR


B′

= A11

[V 3

2 |B22,n|R2

2,n|D1

1,n

]ΣR.

SinceA′ = A11

[V 3

2 |B22,n|R2

2,n|D11,n

]ΣL R B′,


(18) We have

A ≡ A11

[V 3

2 |B22,n|R2

2,n|D11,n

]ΣL and B ≡ A11

[V 3

2 |B22,n|R2

2,n|D1

1,n

]ΣR.


A ≡ A11

[V 3

2 |B22,n|if φr(idp2, p2) then R3

2,n else 0|D11,n

]ΣL

and it follows from Lemma 28, since ball2ΣL is verifying Lemma 29, thatφr(idp2, p2)ball2/x2

,ball′2 /p2σ = true, thus

A′ ≡ A11

[V 3

2 |B22,n|R3

2,n|D11,n

]ΣL.

It follows from

B ≡ A11

[V 3

2 |B22,n|if φr(idp2, p2) then R3

2,n else 0|D1

1,n

]ΣR

and Lemma 28 and Lemma 29 applied to ball2ΣR that φr(idp2, p2)ball2/x2,

ball′2/p2ΣR = true thus B −→ B′ where

B′

= A11

[V 3

2 |B22,n|R3

2,n|D1

1,n

]ΣL.

SinceA′ = A11

[V 3

2 |B22,n|R3

2,n|D11,n

]ΣL R B′,


(19) We have

A ≡ A11

[V 3

2 |B22,n|R3

2,n|D11,n

]ΣL and B ≡ A11

[V 3

2 |B22,n|R3

2,n|D1

1,n

]ΣR.

RR n° 7781



A ≡ A11

[cRV2

(rec2).V 42 |B2

2,n|cRV2〈r2〉.R4

2,n|D11,n

]ΣL

andA′ ≡ A12

[V 4

2 |B22,n|R4

2,n|D11,n

]ΣL.

It follows from

B ≡ A11

[cRV2(rec2).V 4

2 |B22,n|cRV2〈r2〉.R4

2,n|D1

1,n

]ΣR


B′

= A12

[V 4

2 |B22,n|R4

2,n|D1

1,n

]ΣR.

SinceA′ = A12

[V 4

2 |B22,n|R4

2,n|D11,n

]ΣL R B′,


(20) We have

A ≡ A12

[V 4

2 |B22,n|R4

2,n|D11,n

]ΣL and B ≡ A12

[V 4

2 |B22,n|R4

2,n|D1

1,n

]ΣR.


A ≡ A12

[V 4

2 |cBR(q2).B32,n|cBR〈sigR2 〉.R1

3,n|D11,n

]ΣL

andA′ ≡ A13

[V 4

2 |B32,n|R1

3,n|D11,n

]ΣL.

It follows from

B ≡ A12

[V 4

2 |cBR(q2).B32,n|cBR〈sigR2 〉.R1

3,n|D1

1,n

]ΣR


B′

= A13

[V 4

2 |B32,n|R1

3,n|D1

1,n

]ΣR.

SinceA′ = A13

[V 4

2 |B32,n|R1

3,n|D11,n

]ΣL R B′,


(21) We have

A ≡ A13

[V 4

2 |B32,n|R1

3,n|D11,n

]ΣL and B ≡ A13

[V 4

2 |B32,n|R1

3,n|D1

1,n

]ΣR.


A ≡ A13

[V 4

2 |if φs(idpR, q2) then B3.12,n else 0|R1

3,n|D11,n

]ΣL

Inria


and it follows from Lemma 28 and Lemma 29 applied to ball2ΣL thatφs(idpR, q2)ball2/x2

,ball′2 /p2 ,

sigR2 /q2ΣL = true and

A′ ≡ A13

[V 4

2 |B3.12,n|R1

3,n|D11,n

]ΣL.

It follows from

B ≡ A13

[V 4

2 |if φs(idpR, q2) then B3.12,n else 0|R1

3,n|D1

1,n

]ΣR

and Lemma 28 and Lemma 29 applied to ball2ΣR that φs(idpR, q2)ball2/x2 ,ball′2/p2 ,

sigR2 /q2ΣR = true and B −→ B′ where

B′

= A13

[V 4

2 |B3.12,n|R1

3,n|D1

1,n

]ΣR.

SinceA′ = A13

[V 4

2 |B3.12,n|R1

3,n|D11,n

]ΣL R B′,


(22) We have

A ≡ A13

[V 4

2 |B3.12,n|R1

3,n|D11,n

]ΣL and B ≡ A13

[V 4

2 |B3.12,n|R1

3,n|D1

1,n

]ΣR.


A ≡ A13

[c2(con2).V 5

2 |c2〈q2〉.B3.22,n|R1

3,n|D11,n

]ΣL

andA′ ≡ A14

[V 5

2 |B3.22,n|R1

3,n|D11,n

]ΣL.

It follows from

B ≡ A13

[c2(con2).V 5

2 |c2〈q2〉.B3.22,n|R1

3,n|D1

1,n

]ΣR


B′

= A14

[V 5

2 |B3.22,n|R1

3,n|D1

1,n

]ΣR.

SinceA′ = A14

[V 5

2 |B3.22,n|R1

3,n|D11,n

]ΣL R B′,


(25) We have

A ≡ A13

[V 7

2 |B3.22,n|R1

3,n|D11,n

]ΣL and B ≡ A1

3

[V 7

2 |B3.22,n|R1

3,n|D1

1,n

]ΣR.


A ≡ A13



2 else 0|B3.22,n|R1

3,n|D11,n

]ΣL

RR n° 7781


and it follows from Lemma 29 applied to ball2ΣL that φv(idpR, id2, hv2, con2,

xvote2 , rec2)ball2/x2,ball

′2 /p2 ,


q2 /con2ΣL = true and

A′ ≡ A13

[V 8

2 |B3.22,n|R1

3,n|D11,n

]ΣL.

It follows from

B ≡ A13



2 else 0|B3.22,n|R1

3,n|D1

1,n

]ΣR

and the Lemma 29 applied to ball2ΣR that φv(idpR, id2, hv2, con2, xvote2 , rec2)

ball2/x2,ball

′2 /p2 ,


q2 /con2ΣR = true and B −→ B′ where

B′

= A13

[V 8

2 |B3.22,n|R1

3,n|D1

1,n

]ΣR.

SinceA′ = A1

3

[V 8

2 |B3.22,n|R1

3,n|D11,n

]ΣL R B′,


(26) We have

A ≡ A13

[V 8

2 |B3.22,n|R1

3,n|D11,n

]ΣL and B ≡ A1

3

[V 8

2 |B3.22,n|R1

3,n|D1

1,n

]ΣR.


A ≡ A13

[c2〈Ok〉|c2(sy2).B1

3,n|R13,n|D1

1,n

]ΣL

andA′ ≡ A1

3

[B1

3,n|R13,n|D1

1,n

]ΣL.

It follows from

B ≡ A13

[c2〈Ok〉|c2(sy2).B1

3,n|R13,n|D1

1,n

]ΣR


B′

= A13

[B1

3,n|R13,n|D

1

1,n

]ΣR.

SinceA′ = A1

3

[B1

3,n|R13,n|D1

1,n

]ΣL R B′,


(28) We have

A ≡ A1i

[B1.1i,nMi/xi|R1

i,n|D11,n

]ΣL and B ≡ A1

i

[B1.1i,nMi/xi|R1

i,n|D1

1,n

]ΣR

for some i ∈ 3, . . . , n, N3, . . . , Ni−1 such that Nkθk−1σk−1

NΣL are idk-

valid ballots for k = 3 . . . i− 1, and a term Mi such that

fv(Mi)∪⋃

3≤j≤i−1

fv(Nj) ⊆ dom(A1i ) and (fn(Mi)∪

⋃3≤j≤i−1

fn(Nj))∩bn(A1i ) = ∅.

Inria



A ≡ A1i

[if φb(idpi, xi)Mi/xi then P else 0|R1

i,n|D11,n

]ΣL

with P = B1.2i,n . We also have

B ≡ A1i

[if φb(idpi, xi)Mi/xi then P else 0|R1

i,n|D1

1,n

]ΣR.

We proceed by case analysis on the structure of A′:

• If A′ ≡ A2i

[P |R1

i,n|D11,n

]ΣL, then Miθi−1σ

i−1

NΣL , which is equal to

xiΣL in the A1i context, must have passed φidib , is a idi-valid ballot.

From Corollary 21, since we deduce that xiΣR, in the A1i context,

is also a valid ballot and then B −→ B′ = A2i

[B1.2i,n |R1

i,n|D1

1,n

]ΣR.

Since A′ ≡ A2i

[B1.2i,n |R1

i,n|D11,n

]ΣL R B′, we derive A′ R B′ by the

closure of R under structural equivalence.

• If A′ ≡ A1i

[0Mi/xi|R1

i,n|D11,n

]ΣL, then xiΣL, in the A1

i context,must not have passed φidib , then xiΣL is not idi-valid ballot. FromCorollary 21, we deduce that xiΣR is not a valid ballot either andthen B −→ B′ = A1

i

[0Mi/xi|R1

i,n|D1

1,n

]ΣR. Since A′ ≡ A1

i [0

Mi/xi|R1i,n|D1

1,n

]ΣL R B′, we derive A′ R B′ by the closure of R

under structural equivalence.

(29) We have

A ≡ A2i

[B1.2i,n |R1

i,n|D11,n

]ΣL and B ≡ A2

i

[B1.2i,n |R1

i,n|D1

1,n

]ΣR

for some i ∈ 3, . . . , n, N3, . . . , Ni such that Nkθk−1σk−1

NΣL are idk-valid

ballots for k = 3 . . . i, and such that⋃3≤j≤i

fv(Nj) ⊆ dom(A1i ) and

⋃3≤j≤i

fn(Nj)) ∩ bn(A1i ) = ∅.


A ≡ A2i

[cBR〈ball′i〉.B2

i,n|cBR(pi).R2i,n|D1

1,n

]ΣL

andA′ ≡ A3

i

[B2i,n|R2

i,n|D11,n

]ΣL.

It follows from

B ≡ A2i

[cBR〈ball′i〉.B2

i,n|cBR(pi).R2i,n|D

1

1,n

]ΣR


B′

= A3i

[B2i,n|R2

i,n|D1

1,n

]ΣR.

RR n° 7781


andA′ ≡ A5

i

[B3i,n|R1

i+1,n|D11,n

]ΣL.

It follows from

B ≡ A4i

[cBR(qi).B

3i,n|cBR〈sigRi 〉.R1

i+1,n|D1

1,n

]ΣR


B′

= A5i

[B3i,n|R1

i+1,n|D1

1,n

]ΣR.

SinceA′ ≡ A5

i

[B3i,n|R1

i+1,n|D11,n

]ΣL R B′,


(33) We have

A ≡ A5i

[B3i,n|R1

i+1,n|D11,n

]ΣL and B ≡ A5

i

[B3i,n|R1

i+1,n|D1

1,n

]ΣR


NΣL are idk-valid



⋃3≤j≤i

fn(Nj)) ∩ bn(A1i ) = ∅.


A ≡ A5i

[if φs(idpR, qi) then B3.1

i,n else 0|R1i+1,n|D1

1,n

]ΣL

and it follows from Lemma 28, since Niθi−1σi−1

NΣL is a idi-valid ballot,

that φs(idpR, qi)balli/xi ,ball′i /pi ,

sigRi /qiΣL = true, thus

A′ ≡ A5i

[B3.1i,n |R1

i+1,n|D11,n

]ΣL.

It follows from

B ≡ A5i

[if φs(idpR, qi) then B3.1

i,n else 0|R1i+1,n|D

1

1,n

]ΣR

and from Lemma 28 that φs(idpR, qi)balli/xi ,ball′i /pi ,

sigRi /qiΣR = truesince Niθi−1σ

i−1

NΣR is a idi-valid ballot. Thus B −→ B′ where

B′

= A5i

[B3.1i,n |R1

i+1,n|D1

1,n

]ΣR.

SinceA′ ≡ A5

i

[B3.1i,n |R1

i+1,n|D11,n

]ΣL R B′,


RR n° 7781


(36) We have

A ≡ A′i[B4i,n|D1

1,n

]ΣL and B ≡ A′i

[B4i,n|D

1

1,n

]ΣR

for some N3, . . . , Nn such that Nkθk−1σk−1

NΣL are idk-valid ballots for

k = 3 . . . n, and such that⋃3≤j≤n

fv(Nj) ⊆ dom(A1n) and

⋃3≤j≤n

fn(Nj) ∩ bn(A1n) = ∅.


A ≡ A′i[cBD〈Π1(xi)〉.B4

i+1,n|cBD(di).D1i+1,n

]ΣL

andA′ ≡ A′i+1

[B4i+1,n|D1

i+1,n

]ΣL.

It follows from

B ≡ A′i[cBD〈Π1(xi)〉.B4

i+1,n|cBD(di).D1

i+1,n

]ΣR


B′

= A′i+1

[B4i+1,n|D

1

i+1,n

]ΣR.

SinceA′ ≡ A′i+1

[B4i+1,n|D1

i+1,n

]ΣL R B′,


Labelled Reductions : We must show for all extended processes A andB, where A R B, that if A α−→ A′ for some A′, then B −→∗ α−→−→∗ B′ andA′ R B′ for some B′. We observe that if A R B by an other relation than (1),(10), (11), (14), (23), (24), (27), (31), (34), (35) or (37) to (40) then there is noextended process A′ such that A α−→ A′. We proceed by case analysis on theremaining cases.

(1) We have

A ≡ A0

[V 1

1 |V 12 |B1

1,n|R11,n|D1

1,n

]and B ≡ A0

[V 1

1 |V 12 |B1

1,n|R11,n|D

1

1,n

]If A α−→ A′ such that fv(α) ⊆ dom(A) and bn(α) ∩ bn(B) = ∅, then itmust be the case that

A ≡ A0

[νt1.cout〈ball1〉.V 2

1 |V 12 |B1

1,n|R11,n|D1

1,n

]and

A′ ≡ A1

[V 2

1 |V 12 |B1

1,n|R11,n|D1

1,n

]σ

where α = νb1.cout〈b1〉 and b1 /∈ dom(A0). It follows from

B ≡ A0


1 |V 12 |B1

1,n|R11,n|D

1

1,n

]Inria


that B α−→ B′ where

B′ ≡ A1

[V 2

1 |V 12 |B1

1,n|R11,n|D

1

1,n

]τ.

We haveA1

[V 2

1 |V 12 |B1

1,n|R11,n|D1

1,n

]σ R B′,

and derive A′ R B′ by the closure of R under structural equivalence.

(10) We have

A ≡ A6

[V 5

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]σ and B ≡ A6

[V 5

1 |V 12 |B3.2

1,n|R12,n|D

1

1,n

]τ

If A α−→ A′ such that fv(α) ⊆ dom(A) and bn(α) ∩ bn(B) = ∅, then itmust be the case that

A ≡ A6

[cout〈rec1〉.V 6

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]σ

andA′ ≡ A7

[V 6

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]σ

where α = νy1.cout〈y1〉 and y1 /∈ dom(A6). It follows from

B ≡ A6

[cout〈rec1〉.V 6

1 |V 12 |B3.2

1,n|R12,n|D

1

1,n

]τ


B′ ≡ A7

[V 6

1 |V 12 |B3.2

1,n|R12,n|D

1

1,n

]τ.

We haveA7

[V 6

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]σ R B′,


(11) We have

A ≡ A7

[V 6

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]σ and B ≡ A7

[V 6

1 |V 12 |B3.2

1,n|R12,n|D

1

1,n

]τ


A ≡ A7

[cout〈con1〉.V 7

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]σ

andA′ ≡ A8

[V 7

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]σ

where α = νz1.cout〈z1〉 and z1 /∈ dom(A7). It follows from

B ≡ A7

[cout〈con1〉.V 7

1 |V 12 |B3.2

1,n|R12,n|D

1

1,n

]τ

RR n° 7781



B′ ≡ A8

[V 7

1 |V 12 |B3.2

1,n|R12,n|D

1

1,n

]τ.

We haveA8

[V 7

1 |V 12 |B3.2

1,n|R12,n|D1

1,n

]σ R B′,


(14) We have

A ≡ A8

[V 1

2 |B12,n|R1

2,n|D11,n

]σ and B ≡ A8

[V 1

2 |B12,n|R1

2,n|D1

1,n

]τ


A ≡ A8


2 |B12,n|R1

2,n|D11,n

]σ

andA′ ≡ A9

[V 2

2 |B12,n|R1

2,n|D11,n

]ΣL

where α = νb2.cout〈b2〉 and b2 /∈ dom(A8). It follows from

B ≡ A8


2 |B12,n|R1

2,n|D1

1,n

]τ


B′ ≡ A9

[V 2

2 |B12,n|R1

2,n|D1

1,n

]ΣR.

We haveA9

[V 2

2 |B12,n|R1

2,n|D11,n

]ΣL R B′,


(23) We have

A ≡ A14

[V 5

2 |B3.22,n|R1

3,n|D11,n

]ΣL and B ≡ A14

[V 5

2 |B3.22,n|R1

3,n|D1

1,n

]ΣR


A ≡ A14

[cout〈rec2〉.V 6

2 |B3.22,n|R1

3,n|D11,n

]ΣL

andA′ ≡ A15

[V 6

2 |B3.22,n|R1

3,n|D11,n

]ΣL

where α = νy2.cout〈⟨〉y2⟩ and y2 /∈ dom(A14). It follows from

B ≡ A14

[cout〈rec2〉.V 6

2 |B3.22,n|R1

3,n|D1

1,n

]ΣR

Inria



B′ ≡ A15

[V 6

2 |B3.22,n|R1

3,n|D1

1,n

]ΣR.

We haveA15

[V 6

2 |B3.22,n|R1

3,n|D11,n

]ΣL R B′,


(24) We have

A ≡ A15

[V 6

2 |B3.22,n|R1

3,n|D11,n

]ΣL and B ≡ A15

[V 6

2 |B3.22,n|R1

3,n|D1

1,n

]ΣR


A ≡ A15

[cout〈con2〉.V 7

2 |B3.22,n|R1

3,n|D11,n

]ΣL

andA′ ≡ A1

3

[V 7

2 |B3.22,n|R1

3,n|D11,n

]ΣL

where α = νz2.cout〈z2〉 and z2 /∈ dom(A15). It follows from

B ≡ A15

[cout〈con2〉.V 7

2 |B3.22,n|R1

3,n|D1

1,n

]ΣR


B′ ≡ A13

[V 7

2 |B3.22,n|R1

3,n|D1

1,n

]ΣR.

We haveA1

3

[V 7

2 |B3.22,n|R1

3,n|D11,n

]ΣL R B′,


(27) We have

A ≡ A1i

[B1i,n|R1

i,n|D11,n

]ΣL and B ≡ A1

i

[B1i,n|R1

i,n|D1

1,n

]ΣR

for some i ∈ 3, . . . , n, N3, . . . , Ni−1 such that Nkθk−1σk−1N ΣL are idk-

valid ballots for k = 3 . . . i− 1 and⋃3≤j≤i−1


⋃3≤j≤i−1

fn(Nj) ∩ bn(A1i ) = ∅.


A ≡ A1i

[ci(xi).B

1.1i,n |R1

i,n|D11,n

]ΣL

andA′ ≡ A1

i

[B1.1i,nMi/xi|R1

i,n|D11,n

]ΣL

RR n° 7781



A ≡ A5i

[ci〈qi〉.B3.2

i,n |R1i+1,n|D1

1,n

]ΣL

andA′ ≡ A6

i

[B3.2i,n |R1

i+1,n|D11,n

]ΣL

where α = νzi.ci〈zi〉 and zi /∈ dom(A5i ). It follows from

B ≡ A5i

[ci〈qi〉.B3.2

i,n |R1i+1,n|D

1

1,n

]ΣR


B′ ≡ A6i

[B3.2i,n |R1

i+1,n|D1

1,n

]ΣR.

We haveA6i

[B3.2i,n |R1

i+1,n|D11,n

]ΣL R B′,


(35) We have

A ≡ A6i

[B3.2i,n |R1

i+1,n|D11,n

]ΣL and B ≡ A6

i

[B3.2i,n |R1

i+1,n|D1

1,n

]ΣR




⋃3≤j≤i

fn(Nj) ∩ bn(A1i ) = ∅.

If A α−→ A′ such that fv(α) ⊆ dom(A) and bn(α)∩ bn(B) = ∅, then thereare two cases :

– If 3 ≤ i < n.

A6i

[ci(syi).B

1i+1,n|R1

i+1,n|D11,n

]ΣL

andA′ ≡ A1

i+1

[B1i+1,n|R1

i+1,n|D11,n

]ΣL

where α = ci(Wi) for some term Wi such that fn(α) ∩ bn(A6i ) = ∅.

It follows from

B ≡ A6i

[ci(syi).B

1i+1,n|R1

i+1,n|D1

1,n

]ΣR


B′ ≡ A1i+1

[B1i+1,n|R1

i+1,n|D1

1,n

]ΣR.

We haveA1i+1

[B1i+1,n|R1

i+1,n|D11,n

]ΣL R B′,


RR n° 7781


– If i = n. A6n

[cn(syn).B4

1,n|D11,n

]ΣL and A′ ≡ A′1

[B4

1,n|D11,n

]ΣL

where α = cn(Wn) for some term Wn such that fn(α) ∩ bn(A6n) = ∅.

It follows from B ≡ A6n

[cn(syn).B4

1,n|D1

1,n

]ΣR that B α−→ B′ where

B′ ≡ A′1

[B4

1,n|D1

1,n

]ΣR. We have A′1

[B4

1,n|D11,n

]ΣL R B′, and de-

rive A′ R B′ by the closure of R under structural equivalence.

(37) We haveA ≡ A′n+1

[D2

1,n

]ΣL and B ≡ A′n+1

[D

2

1,n

]ΣR





⋃3≤j≤n

fn(Nj) ∩ bn(A1n) = ∅.


A ≡ A′n+1

[cout〈dec1〉.D2

2,n

]ΣL

andA′ ≡ A′′1

[D2

2,n

]ΣL

where α = ν result1.cout〈result1〉 and result1 /∈ dom(A′n+1). It followsfrom

B ≡ A′n+1

[cout〈dec2〉.D

2

2,n

]ΣR

that B α−→ B′ whereB′ ≡ A′′1

[D

2

2,n

]ΣR.

We haveA′′1[D2

2,n

]ΣL R B′,


(38) We haveA ≡ A′′1

[D2

2,n

]ΣL and B ≡ A′′1

[D

2

2,n

]ΣR





⋃3≤j≤n

fn(Nj) ∩ bn(A1n) = ∅.


A ≡ A′′1[cout〈dec2〉.D2

3,n

]ΣL

andA′ ≡ A′′2

[D2

3,n

]ΣL

Inria


where α = ν result2.cout〈result2〉 and result2 /∈ dom(A′′1). It follows from

B ≡ A′′1[Out[cout]dec1.D

2

3,n

]ΣR

that B α−→ B′ whereB′ ≡ A′′2

[D

2

3,n

]ΣR.

We haveA′′2[D2

3,n

]ΣL R B′,


(39) We haveA ≡ A′′i−1

[D2i,n

]ΣL and B ≡ A′′i−1

[D

2

i,n

]ΣR





⋃3≤j≤n

fn(Nj) ∩ bn(A1n) = ∅.

If A α−→ A′ such that fv(α) ⊆ dom(A) and bn(α)∩ bn(B) = ∅, then thereare two cases :

– If 3 ≤ i < n.

A′′i−1

[cout〈deci〉.D2

i+1,n

]ΣL and A′ ≡ A′′i

[D2

1+1,n

]ΣL

where α = ν result i.cout〈result i〉 and result i /∈ dom(A′′i−1). It followsfrom

B ≡ A′′i−1

[cout〈deci〉.D

2

i+1,n

]ΣR


B′ ≡ A′′i[D

2

i+1,n

]ΣR.

We haveA′′i[D2

1+1,n

]ΣL R B′,


– If i = n.A′′n−1 [cout〈decn〉] ΣL and A′ ≡ A′′n [0] ΣL

where α = ν resultn.cout〈resultn〉 and resultn /∈ dom(A′′n−1). It fol-lows from

B ≡ A′′n−1 [cout〈decn〉] ΣR

that B α−→ B′ whereB′ ≡ A′′n [0] ΣR.

We haveA′′n [0] ΣL R B′,


RR n° 7781


B.5 Proving the Theorem 4As R is verifying the three properties of Definition 2, we have to show thatfor all extended processes A and B, where ARB, that A ≈s B. Using Lemma9, it is sufficient to prove that A′′n [0] ΣL ≈s A

′′n [0] ΣR for any Ni such that

Niθi−1σi−1

NΣ are idi-valid ballots. As A′′n [0] ΣL is mapped in n.(θ|R)σNΣL and

A′′n [0] ΣR is mapped in n.(θ|R)σNΣR, we conclude using Proposition 8.

C Proof of Theorem 3Let us remind the Theorem we need to prove.

Theorem 3. Let n be the number of voters. The Norwegian e-voting protocolprocess specification satisfies ballot secrecy with the auditing process, even withn− 2 voters are corrupted, provided that the other components are honest.

An[V c1/cauth ,cRV1 /cRV σ | V c2/cauth ,cRV2 /cRV τ ]

≈l An [V c1/cauth ,cRV1 /cRV τ |V c2/cauth ,cRV2 /cRV σ]

where σ = v1/xvote and τ = v2/xvote.Let us introduce the relation we will use to prove labeled bisimilarity.

C.1 Partial evolutions of protocol specificationFirst, we will introduce partial evolutions of the protocol process specificationand remind some notations used. One can note that the notations are the sameas those we used in the previous section when proving Theorem 4, since weredefine them here, there are no possible confusion.

Definition 30. Notations and partial evolutions for honest voters. (i ∈ 1, 2)

V 1i = cout〈balli〉.V 2

i ei = penc(xivote, ti, pk(a1))V 2i = ci〈balli〉.V 3

i pfk i = pfk1(idi, ti, xivote, ei)

V 3i = cRVi(reci).V

4i sigi = sign((ei, pfk i), idi)

V 4i = ci(coni).V

5i balli = (ei, pfk i, sigi)

V 5i = cout〈coni〉.V 6

i hvi = hash((vk(idi), ei, pfk i, sigi))V 6i = cout〈reci〉.V 7

i

V 7i = if φv(idpR, idi, hvi, coni, xvotei , reci) then V 8

i else 0V 8i = ci〈Ok〉

Definition 31. Notations and partial evolutions for the ballot box. (i ∈ 1, . . . , n)

B1i,n = ci(xi).B

1.1i,n e′i = renc(Π1(xi), s(idi))

B1.1i,n = if φb(idpi, xi) then B1.2

i,n else 0 pfk ′i = pfk2(idi, a2,Π1(xi), e′i)

B1.2i,n = cBR〈ball′i〉.B2

i,n e′′i = blind(e′i, s(idi))B2i,n = cBR(qi).B

3i,n pfk ′′i = pfk2(idi, s(idi), e

′i, e′′i )

B3i,n = if φs(idpR, hbbi, qi) then B3.1

i,n else 0 ball′i = (xi, e′i, pfk

′i, e′′i , pfk

′′i )

B3.1i,n = ci〈qi〉.B3.2

i,n hbbi = hash((vk(idi), xi))B3.2i,n = ci(syi).B

1i+1,n

B3.2n,n = cn(syn).B4

1,n

Inria


B4i,n = cBD〈Π1(xi)〉.B4

i+1,n

B4n,n = cBD〈Π1(xn)〉.B5

1,n

B5i,n = cBA〈xi〉.B5

i+1,n

B5n,n = cBA〈xn〉

Definition 32. Notations et and partial evolutions for the receipt generator.(i ∈ 1, . . . , n)

R1i,n = cBR(pi).R

2i,n

R2i,n = if φr(idpi, pi) then R3

i,n else 0R3i,n = cRVi〈ri〉.R4

i,n ri = d(p(idi), dec(Π6(pi), a3))R4i,n = cBR〈sigRi 〉.R1

i+1,n hbri = hash((idpi,Π1(pi),Π2(pi),Π3(pi)))R4n,n= cBR〈sigRn 〉.R5

1,n sigRi = sign(hbri, idR)R5i,n = cRA〈(idpi, hbpri, hbri)〉.R5

i+1,n

R5n,n= cBR〈(idpi, hbpri, hbri)〉

Definition 33. Notations and partial evolutions for the decryption service, wedistinguish two cases : one without a swap (D) and one with swap (D).(i ∈1, . . . , n)

deci = dec(di, a1) D1

i,n = cBD(dj).D1

i+1,n

D1

n,n = cBD(dn).D2

1

D1i,n = cBD(di).D

1i+1,n D

2

1 = cDA〈hash((d1, . . . , dn))〉.D2

2

D1n,n= cBD(dn).D2

1,n D2

2 = cDA(h).D3

1,n

D21 = cDA〈hash((d1, . . . , dn))〉.D2

2 D3


2,n

D22 = cDA(h).D3

1,n D3


3,n

D3i,n = cout〈deci〉.D3

i+1,n D3

i,n = cout〈deci〉.D2

i+1,n

D3n,n= cout〈decn〉 D

3

n,n = cout〈decn〉

Definition 34. Partial evolutions for the auditor. (j ∈ 1, . . . , n)

AD1 = cDA(hd).AD21,n

AD2j,n= cBA(baj).AD

2j+1,n

AD2n,n= cBA(ban).AD3

1,n

AD3j,n= cRA(haj).AD

3j+1,n

AD3n,n= cRA(han).AD4

1

AD41 = if φa(ba1, ha1, idp1, . . . , ban, han, idpn, h, hd) then AD4

2 else 0AD4

2 = cDA〈Ok〉

Definition 35. Partial evolutions of global process representing the enrichmentof the frame as the process advances.


, cBR, cBD)Γ = pk(a1)/g1 ,

pk(a2) /g2 ,pk(a3) /g3 ,

vk(id1) /idp1 , . . . ,vk(idn) /idpn ,

vk(idR) /idpR

A0 = νn. [_|Γ]A1 = ν(n, t1).

[_|ball1/b1|Γ

]A2 = ν(n, t1, x1).

[_|ball1/b1|ball1/x1|Γ

]RR n° 7781


bai = bak|k ∈ 1, . . . , i− 1Θi = Π1(xk)/dk|k ∈ 1, . . . , i− 1A8i = ν(n, mn+1, dn+1, hd, bai).

[_|Θi|hash((d1,...,dn))/hd|

Ωn+1|Λn+1|Λ|Γ]

hai = hak|k ∈ 1, . . . , i− 1∆i = Π1(xk)/dk|k ∈ 1, . . . , i− 1A9i = ν(n, mn+1, dn+1, hd, ban+1, hai).

[_|∆i|Θn+1|hash((d1,...,dn))/hd|Ωn+1|

Λn+1|Λ|Γ]

A′ = ν(n, mn+1, dn+1, hd, ban+1, han+1, h).[_|Ok/h|∆n+1|Θn+1|

hash((d1,...,dn))/hd|Ωn+1|Λn+1|Λ|Γ]

A′′1 = A′[_|dec1/result1

]A′′i = A′′i−1

[_|deci/resulti

]A′′1 = A′

[_|dec2/result1

]A′′2 = A

′′1

[_|dec1/result2

]A′′i = A

′′i−1

[_|deci/resulti

]C.2 Relation

Now we can define the relation.

Definition 36. Given integer n ≥ 2, ∀ 3 ≤ j ≤ n, let Mj and Nj termssuch that Njθj−1σ

j−1

NΣL is an idj-valid ballot, and such that fv(Mj)∪ fv(Nj) ⊆

dom(A1j ) and (fn(Mj)∪ fn(Nj))∩bn(A1

j ) = ∅. We consider the smallest relationR which is closed under structural equivalence and includes the following pairsof extended processes :

A0

[V 1

1 |V 12 |B1

1,n|R11,n|D1

1,n|AD1]∼R A0

[V 1

1 |V 12 |B1

1,n|R11,n|D

1

1,n|AD1]

(1)

A1

[V 2

1 |V 12 |B1

1,n|R11,n|D1

1,n|AD1]σ ∼R A1

[V 2

1 |V 12 |B1

1,n|R11,n|D

1

1,n|AD1]τ (2)

A2

[V 3

1 |V 12 |B1.1

1,n|R11,n|D1

1,n|AD1]σ ∼R A2

[V 3

1 |V 12 |B1.1

1,n|R11,n|D

1

1,n|AD1]τ (3)

A2

[V 3

1 |V 12 |B1.2

1,n|R11,n|D1

1,n|AD1]σ ∼R A2

[V 3

1 |V 12 |B1.2

1,n|R11,n|D

1

1,n|AD1]τ (4)

A3

[V 3

1 |V 12 |B2

1,n|R21,n|D1

1,n|AD1]σ ∼R A3

[V 3

1 |V 12 |B2

1,n|R21,n|D

1

1,n|AD1]τ (5)

A3

[V 3

1 |V 12 |B2

1,n|R31,n|D1

1,n|AD1]σ ∼R A3

[V 3

1 |V 12 |B2

1,n|R31,n|D

1

1,n|AD1]τ (6)

A4

[V 4

1 |V 12 |B2

1,n|R41,n|D1

1,n|AD1]σ ∼R A4

[V 4

1 |V 12 |B2

1,n|R41,n|D

1

1,n|AD1]τ (7)

A5

[V 4

1 |V 12 |B3

1,n|R12,n|D1

1,n|AD1]σ ∼R A5

[V 4

1 |V 12 |B3

1,n|R12,n|D

1

1,n|AD1]τ (8)

A5

[V 4

1 |V 12 |B3.1

1,n|R12,n|D1

1,n|AD1]σ ∼R A5

[V 4

1 |V 12 |B3.1

1,n|R12,n|D

1

1,n|AD1]τ (9)

A6

[V 5

1 |V 12 |B3.2

1,n|R12,n|D1

1,n|AD1]σ ∼R A6

[V 5

1 |V 12 |B3.2

1,n|R12,n|D

1

1,n|AD1]τ

(10)

A7

[V 6

1 |V 12 |B3.2

1,n|R12,n|D1

1,n|AD1]σ ∼R A7

[V 6

1 |V 12 |B3.2

1,n|R12,n|D

1

1,n|AD1]τ

(11)RR n° 7781


A8

[V 7

1 |V 12 |B3.2

1,n|R12,n|D1

1,n|AD1]σ ∼R A8

[V 7

1 |V 12 |B3.2

1,n|R12,n|D

1

1,n|AD1]τ

(12)

A8

[V 8

1 |V 12 |B3.2

1,n|R12,n|D1

1,n|AD1]σ ∼R A8

[V 8

1 |V 12 |B3.2

1,n|R12,n|D

1

1,n|AD1]τ

(13)

A8

[V 1

2 |B12,n|R1

2,n|D11,n|AD1

]σ ∼R A8

[V 1

2 |B12,n|R1

2,n|D1

1,n|AD1]τ (14)

A9

[V 2

2 |B12,n|R1

2,n|D11,n|AD1

]ΣL ∼R A9

[V 2

2 |B12,n|R1

2,n|D1

1,n|AD1]

ΣR (15)

A10

[V 3

2 |B1.12,n|R1

2,n|D11,n|AD1

]ΣL ∼R A10

[V 3

2 |B1.12,n|R1

2,n|D1

1,n

]|AD1ΣR

(16)

A10

[V 3

2 |B1.22,n|R1

2,n|D11,n|AD1

]ΣL ∼R A10

[V 3

2 |B1.22,n|R1

2,n|D1

1,n

]|AD1ΣR

(17)

A11

[V 3

2 |B22,n|R2

2,n|D11,n|AD1

]ΣL ∼R A11

[V 3

2 |B22,n|R2

2,n|D1

1,n|AD1]

ΣR

(18)

A11

[V 3

2 |B22,n|R3

2,n|D11,n|AD1

]ΣL ∼R A11

[V 3

2 |B22,n|R3

2,n|D1

1,n|AD1]

ΣR

(19)

A12

[V 4

2 |B22,n|R4

2,n|D11,n|AD1

]ΣL ∼R A12

[V 4

2 |B22,n|R4

2,n|D1

1,n|AD1]

ΣR

(20)

A13

[V 4

2 |B32,n|R1

3,n|D11,n|AD1

]ΣL ∼R A13

[V 4

2 |B32,n|R1

3,n|D1

1,n|AD1]

ΣR

(21)

A13

[V 4

2 |B3.12,n|R1

3,n|D11,n|AD1

]ΣL ∼R A13

[V 4

2 |B3.12,n|R1

3,n|D1

1,n|AD1]

ΣR

(22)

A14

[V 5

2 |B3.22,n|R1

3,n|D11,n|AD1

]ΣL ∼R A14

[V 5

2 |B3.22,n|R1

3,n|D1

1,n|AD1]

ΣR

(23)

A15

[V 6

2 |B3.22,n|R1

3,n|D11,n|AD1

]ΣL ∼R A15

[V 6

2 |B3.22,n|R1

3,n|D1

1,n|AD1]

ΣR

(24)

A13

[V 7

2 |B3.22,n|R1

3,n|D11,n|AD1

]ΣL ∼R A1

3

[V 7

2 |B3.22,n|R1

3,n|D1

1,n|AD1]

ΣR (25)

A13

[V 8

2 |B3.22,n|R1

3,n|D11,n|AD1

]ΣL ∼R A1

3

[V 8

2 |B3.22,n|R1

3,n|D1

1,n|AD1]

ΣR (26)

(i ∈ 3, . . . , n, R1n+1,n = R5

1,n)

A1i

[B1i,n|R1

i,n|D11,n|AD1

]ΣL ∼R A1

i

[B1i,n|R1

i,n|D1

1,n|AD1]

ΣR (27)

A1i

[B1.1i,nMi/xi|R1

i,n|D11,n|AD1

]ΣL ∼R A1

i

[B1.1i,nMi/xi|R1

i,n|D1

1,n|AD1]

ΣR

(28)

A2i

[B1.2i,n |R1

i,n|D11,n|AD1

]ΣL ∼R A2

i

[B1.2i,n |R1

i,n|D1

1,n|AD1]

ΣR (29)

A3i

[B2i,n|R2

i,n|D11,n|AD1

]ΣL ∼R A3

i

[B2i,n|R2

i,n|D1

1,n|AD1]

ΣR (30)

Inria


A3i

[B2i,n|R3

i,n|D11,n|AD1

]ΣL ∼R A3

i

[B2i,n|R3

i,n|D1

1,n|AD1]

ΣR (31)

A4i

[B2i,n|R4

i,n|D11,n|AD1

]ΣL ∼R A4

i

[B2i,n|R4

i,n|D1

1,n|AD1]

ΣR (32)

A5i

[B3i,n|R1

i+1,n|D11,n|AD1

]ΣL ∼R A5

i

[B3i,n|R1

i+1,n|D1

1,n|AD1]

ΣR (33)

A5i

[B3.1i,n |R1

i+1,n|D11,n|AD1

]ΣL ∼R A5

i

[B3.1i,n |R1

i+1,n|D1

1,n|AD1]

ΣR (34)

A6i

[B3.2i,n |R1

i+1,n|D11,n|AD1

]ΣL ∼R A6

i

[B3.2i,n |R1

i+1,n|D1

1,n|AD1]

ΣR (35)

(i ∈ 1, . . . , n, j ∈ 3, . . . , n)

A7i

[B4i,n|R5

1,n|D1i,n|AD1

]ΣL ∼R A7

i

[B4i,n|R5

1,n|D1

i,n|AD1]

ΣR (36)

A7n+1

[B5

1,n|R51,n|D2

1|AD1]

ΣL ∼R A7n+1

[B5

1,n|R51,n|D

2

1|AD1]

ΣR (37)

A8i

[B5i,n|R5

1,n|D22|AD2

i,n

]ΣL ∼R A8

i

[B5i,n|R5

1,n|D2

2|AD2i,n

]ΣR (38)

A9i

[R5i,n|D2

2|AD3i,n

]ΣL ∼R A9

i

[R5i,n|D

2

2|AD3i,n

]ΣR (39)

A9n+1

[D2

2|AD41

]ΣL ∼R A9

n+1

[D

2

2|AD41

]ΣR (40)

A9n+1

[D2

2|AD42

]ΣL ∼R A9

n+1

[D

2

2|AD42

]ΣR (41)

A′[D2

1,n

]ΣL ∼R A′

[D

2

1,n

]ΣR (42)

A′′1[D2

2,n

]ΣL ∼R A

′′1

[D

2

2,n

]ΣR (43)

A′′j−1

[D2j,n

]ΣL ∼R A

′′j−1

[D

2

j,n

]ΣR (44)

A′′n [0] ΣL ∼R A′′n [0] ΣR (45)

(i ∈ 3, . . . , n)

A1i

[Mi/xi|R1

i,n|D11,n

]ΣL ∼R A1

i

[Mi/xi|R1

i,n|D1

1,n

]ΣR (46)

C.3 Proof for the relation

The proof is quite the same as the one without auditor since most of equiv-alences are identical except that we add a auditor part in parallel, or renamesome partial states of processes. There modified cases are equivalences (37)to (41) which are basically representing the auditor’s behaviour and can onlyevolve with internal reduction.

Internal Reductions : We must show for all extended processes A andB, where A R B, that if A −→ A′ for some A′, then B −→ B′ and A′ R B′ forsome B′.

(37) We have

A ≡ A7n+1

[B5

1,n|R51,n|D2

1|AD1]

ΣL and B ≡ A7n+1

[B5

1,n|R51,n|D

2

1|AD1]

ΣR

RR n° 7781






⋃3≤j≤n

fn(Nj) ∩ bn(A1n) = ∅.


A ≡ A7n+1

[B5

1,n|R51,n|cDA〈hash((d1, . . . , dn))〉.D2

2|cDA(hd).AD21,n

]ΣL

andA′ ≡ A8

1

[B5

1,n|R51,n|D2

2|AD21,n

]ΣL.

It follows from

B ≡ A7n+1

[B5

1,n|R51,n|cDA〈hash((d1, . . . , dn))〉.D2

2|cDA(hd).AD21,n

]ΣR


B′

= A81

[B5

1,n|R51,n|D

2

2|AD21,n

]ΣR.

SinceA′ ≡ A8

1

[B5

1,n|R51,n|D2

2|AD21,n

]ΣL R B′,


(38) We have

A ≡ A8i

[B5i,n|R5

1,n|D22|AD2

i,n

]ΣL and B ≡ A8

1

[B5i,n|R5

1,n|D2

2|AD2i,n

]ΣR





⋃3≤j≤n

fn(Nj) ∩ bn(A1n) = ∅.

We have two cases :

• If 1 ≤ i < n.

A8i

[cBA〈xi〉.B5

i+1,n|R51,n|D2

2|cBA(bai).AD2i+1,n

]ΣL

andA′ ≡ A8

i+1

[B5i+1,n|R5

1,n|D22|AD2

i+1,n

]ΣL.

It follows from

B ≡ A8i

[cBA〈xi〉.B5

i+1,n|R51,n|D

2

2|cBA(bai).AD2i+1,n

]ΣR


B′ ≡ A8i+1

[B5i+1,n|R5

1,n|D2

2|AD2i+1,n

]ΣR.

We haveA8i+1

[B5i+1,n|R5

1,n|D22|AD2

i+1,n

]ΣL R B′,


Inria


• If i = n.A8n

[cBA〈xn〉|R5

1,n|D22|cBA(ban).AD3

1,n

]ΣL

andA′ ≡ A9

1

[R5

1,n|D22|AD3

1,n

]ΣL.

It follows from

B ≡ A8n

[cBA〈xn〉|R5

1,n|D2

2|cBA(ban).AD31,n

]ΣR


B′ ≡ A91

[R5

1,n|D2

2|AD31,n

]ΣR.

We haveA9

1

[R5

1,n|D22|AD3

1,n

]ΣL R B′,


(39) We have

A ≡ A9i

[R5i,n|D2

2|AD3i,n

]ΣL and B ≡ A9

1

[R5i,n|D

2

2|AD3i,n

]ΣR





⋃3≤j≤n

fn(Nj) ∩ bn(A1n) = ∅.

We have two cases :

• If 1 ≤ i < n.

A9i

[cRA〈(idpi, hbpri, hbri)〉.R5

i+1,n|D22|cRA(hai).AD

3i+1,n

]ΣL

andA′ ≡ A9

i+1

[R5i+1,n|D2

2|AD3i+1,n

]ΣL.

It follows from

B ≡ A9i

[cRA〈(idpi, hbpri, hbri)〉.R5

i+1,n|D2

2|cRA(hai).AD3i+1,n

]ΣR


B′ ≡ A9i+1

[R5i+1,n|D

2

2|AD3i+1,n

]ΣR.

We haveA9i+1

[R5i+1,n|D2

2|AD3i+1,n

]ΣL R B′,


RR n° 7781


• If i = n.

A9n

[cRA〈(idpn, hbprn, hbrn)〉|D2

2|cRA(han).AD41

]ΣL

andA′ ≡ A9

n+1

[D2

2|AD41

]ΣL.

It follows from

B ≡ A9n

[cRA〈(idpn, hbprn, hbrn)〉|D2

2|cRA(han).AD41

]ΣR


B′ ≡ A9n+1

[D

2

2|AD41

]ΣR.

We haveA9n+1

[D2

2|AD41

]ΣL R B′,


(40) We have

A ≡ A9n+1

[D2

2|AD41

]ΣL and B ≡ A9

n+1

[D

2

2|AD41

]ΣR





⋃3≤j≤n

fn(Nj) ∩ bn(A1n) = ∅.


A ≡ A9n+1

[D2

2|if φa(ba1, ha1, idp1, . . . , ban, han, idpn, h, hd) then P else 0]

ΣL

with P = AD42. Since Miθi−1σ

i−1

NΣL , which is equal to xiΣL in the A1

i

context, is a idi-valid ballot for i ∈ 1, . . . , n, using 28, it is obvious thatthe φa is passed. (The auditor is just creating what the receipt generatordid, since these two ones are not cheating, it must be correct.) Then

A′ ≡ A9n+1

[D2

2|AD42

]ΣL.

It follows from

B ≡ A9n+1

[D

2

2|if φa(ba1, ha1, idp1, . . . , ban, han, idpn, h, hd) then P else 0]

ΣR

and the fact that Miθi−1σi−1

NΣR are also idi-valid ballots that B −→ B′

whereB

′= A9

n+1

[D

2

2|AD42

]ΣR.

SinceA′ ≡ A9

n+1

[D2

2|AD42

]ΣL R B′,


Inria


(41) We have

A ≡ A9n+1

[D2

2|AD42

]ΣL and B ≡ A9

n+1

[D

2

2|AD42

]ΣR





⋃3≤j≤n

fn(Nj) ∩ bn(A1n) = ∅.


A ≡ A9n+1

[cDA(h).D3

1,n|cDA〈Ok〉]

ΣL

andA′ ≡ A′

[D3

1,n

]ΣL.

It follows from

B ≡ A9n+1

[cDA(h).D

3

1,n|cDA〈Ok〉.AD31,n

]ΣR

that B −→ B′ whereB

′= A′

[D

3

1,n

]ΣR.

SinceA′ ≡ A′

[D3

1,n

]ΣL R B′,


C.4 Proving the Theorem 3As R is verifying the three properties of Definition 2, we have to show thatfor all extended processes A and B, where ARB, that A ≈s B. Using Lemma9, it is sufficient to prove that A′′n [0] ΣL ≈s A

′′n [0] ΣR for any Ni such that

Niθi−1σi−1

NΣ are idi-valid ballots. As A′′n [0] ΣL is mapped in n.(θ|R)σNΣL and

A′′n [0] ΣR is mapped in n.(θ|R)σNΣR, we conclude using Proposition 8.

RR n° 7781

RESEARCH CENTRENANCY – GRAND EST

615 rue du Jardin BotaniqueCS2010154603 Villers-lès-Nancy Cedex

PublisherInriaDomaine de Voluceau - RocquencourtBP 105 - 78153 Le Chesnay Cedexinria.fr

ISSN 0249-6399

a formal analysis of the norwegian e-voting protocol · a formal analysis of the norwegian e-voting...

Documents